Skip navigation

#OAuth: How do we secure lightweight enterprise-level mobile Web services?

2657 Views 3 Replies Latest reply: Jul 13, 2011 11:41 AM by Eve Maler
RSS Twitter Facebook Digg del.icio.us
Eve Maler Advanced
Eve Maler
28 posts since
Jan 28, 2011
Currently Being Moderated

May 19, 2011 8:22 AM

#OAuth: How do we secure lightweight enterprise-level mobile Web services?

So two questions if you've been following our #Forr2Legs tags on Twitter:

 

  1. How are your rich client apps being authenticated?
  2. OAuth is gaining a well-deserved reputation for bridging the gap between corporate authentication infrastructure and native apps; are you seeing it used in these settings?

 

 

I've been researching the appeal of lightweight RESTful web services as a potential new component of enterprise SOA, and especially the use of OAuth as a security mechanism for these services. Spurred by my colleague Alex Crumb, I've been using social-media channels to stimulate feedback and discussion -- open-sourcing the project, if you will.

 

We've been using the hashtag #Forr2Legs on Twitter, riffing off the informal nickname given to OAuth's capability for plain client-server authentication: "two-legged." However, of course, many web services act on behalf of a particular corporate user ("three-legged") rather than executing autonomously.

 

One of the Twitter conversation threads made me want to dig more deeply into the phenomenon of mobile apps developed and used exclusively inside the enterprise, such as shop-floor apps optimized for a tablet form factor.

 

I'm keen to hear about your experiences coming across these lighter-weight patterns in the context of enterprise web services security.

 

Finally, if you haven't read my blog post from last week, you can find the link here.

Tags: authentication, mobile, soa, oauth, mobile_security, web_services, forr2legs
  • James McGovern Master
    James McGovern
    294 posts since
    Jul 1, 2011
    Currently Being Moderated
    Jul 9, 2011 3:35 PM (in response to Eve Maler)
    Re: #OAuth: How do we secure lightweight enterprise-level mobile Web services?

    The enterprise scenario would probably include needing to integrate mobile web applications with traditional enterprise applications that are protected by Web Access Management products such as Tivoli, CA Siteminder, Yale CAS, etc. Do any of these products support oAuth? If not, it probably means that successful integration is probably undoing goodness elsewhere.

    • Eve Maler Advanced
      Eve Maler
      28 posts since
      Jan 28, 2011
      Currently Being Moderated
      Jul 9, 2011 10:00 PM (in response to James McGovern)
      Re: #OAuth: How do we secure lightweight enterprise-level mobile Web services?

      Hi James-- Thanks very much for weighing in! You make a good point. How successful can the new methods be if they don't integrate with existing access control?

       

      What I've been finding so far is that those who need a SAML<->OAuth or WS-Trust<->OAuth bridge due to their particular cloud- and/or mobile-driven needs have been building custom ones, or exhorting their current STS/SOA/federation vendors to help out. There's some evidence progress is accelerating on this front. I just saw this note about Deutsche Telekom's new OAuth support in its STS for mobile apps, for example.

       

      (By the way, I think the research report borne of the #Forr2Legs investigation will be published quite soon, so stay tuned... I'll drop a note here when it's out.)

  • Eve Maler Advanced
    Eve Maler
    28 posts since
    Jan 28, 2011
    Currently Being Moderated
    Jul 13, 2011 11:41 AM (in response to Eve Maler)
    Re: #OAuth: How do we secure lightweight enterprise-level mobile Web services?

    For folks following this post, I just wanted to let you know that the final report is out. Happy reading (if you're so inclined)!

More Like This

  • Retrieving data ...

Bookmarked By (0)

Loading...

Browse

About Forrester

Forrester Research, Inc. is an independent research company that provides pragmatic and forward-thinking advice to global leaders in business and technology.

Roles We Serve

Forrester supports leaders in 19 roles across three distinct groups: IT, Marketing & Strategy, and Technology Industry.

Analysts & Coverage Areas

Aligned to your professional role, Forrester's analysts are experts in the specific technologies, issues, and trends currently impacting your business.

Research
Latest Reports
Charts & Figures
Forrester Waves
Planned Research
Data
Consumer Data
Business Data
Events
Forums
Webinars
Workshops
Tools & Templates
Vendor Selection Aids
Best Practice & Self-Assessments
Models & Calculators
Document Templates

Forrester Leadership Boards

Fresh thinking and collaborative problem-solving through an unmatched combination of peer networking, forward-looking analysis, and professional guidance.

Consulting

Our expert analysts apply custom research-based solutions and data-rich insight to your critical challenges and opportunities.

Social

Your Community

Forrester Blogs