Native Clients (Android/iOS/..)

First step

• See Standard OIDC Authorization Code Flow (PKCE) for reference.
• See Recommendations for Access token validation for general guidens

Recommendations and no-go’s

• We encourage the use of our SDKs for the integration.
  • More information on our SDKs for both Android and iOS can be found here: TelenorID+ integration using SDK
• A native app is not allowed to use embedded webviews.
  • This violates security requirements since it offers login in an unidentified window (without displaying the domain of the authorization server in a browser.
  • The proof of authorization, which for OAuth is the auhorization code, should be delivered directly to the app code, not via some web application. Use Android App Links or Apple Universal Links to do this in the most secure way.
  • For more information: https://developers.googleblog.com/2021/06/upcoming-security-changes-to-googles-oauth-2.0-authorization-endpoint.html
• To increase the likelihood of getting SSO, the default browser must be used, rather than forcing usage of a specific browser like Chrome. Also, you should use custom tabs for the authentication flow to get a smoother integration.
• A client must maintain a session towards the authorization server using tokens and must notice when it has lost authorization (the tokens have become invalid). This can easily be tested by removing access for the client in the Telenor Digital end user self-service solution at https://manage.telenorid.com/, and checking whether the client is considering the end user logged out.

Authentication Using Client ID and PKCE

Before the /authorization request, the client app will generate the code_verifier, a cryptographically random string using the characters A-Z, a-z, 0-9, and the punctuation characters -._~ (hyphen, period, underscore, and tilde), between 43 and 128 characters long.

The code_verifier is then used to generate the code_challenge. The code_challenge is a BASE64 URL encoded string of the SHA256 hash of the code_verifier.

The code_challenge and the code_challenge_method are sent on the /authorization request along other parameters. The code_verifier is sent on the /token request so the authorization server can verify that the client requesting the tokens are the same that did the /authorization request.

Android

Read Handling Android App Links, and especially Verify Android App Links

TelenorID Plus Android SDK

You configure the SDK with your client credentials and for which environment they are configured, either staging or production.

You need to request access to the GitHub Repository if not already a member of TelenorNorway.

More information: TelenorID SDK - Android

iOS

• Article on Universal links for Android and iOS
• Adding support for universal link on iOS (apple.com)
• TelenorID Plus iOS SDK

You configure the SDK with your client credentials and for which environment they are configured, either staging or production.

You need to request access to the GitHub Repository if not already a member of TelenorNorway.

More information: TelenorID SDK - iOS