Authentication for Jive 7 and Jive Cloud Mobile with Mobile 3

Version 4

     

     

     

    As of Jive 7.0.0, Jive Mobile client apps support OAuth 2.0, acting as both an Authorization Server and a Resource Server. This change opens up a new way for doing authentication with the mobile app.

     

    Earlier Implementations and Their Limitations

    Previous versions of Jive (Jive 5 and Mobile 2) used a different OAuth implementation that didn’t full leverage OAuth 2.0. To avoid confusion with the latest OAuth implementation, supported as of Jive 7, we will call this earlier version token-based authentication.

     

    The token-based authentication implementation in Jive 5 and Mobile 2 had the following drawbacks:

    • Getting an authentication token required users to first log in through the full web UI. This presents an obvious problem for mobile-only users.
    • Although it was used by Mobile, Office, and Outlook, it didn’t use the same development framework as other Jive extensions.

     

    These limitations have been addressed in the current OAuth implementation for Mobile, which removes basic authentication as an option. That option has been replaced by OAuth with the username/password grant.

    Options for Authenticating with Mobile Apps

     

     

    SAML SSO

    Jive Versions supported: 6.0.3, 7.0.0+ and cloud

     

    When your Jive instance is configured with SAML SSO, Jive’s Mobile apps will follow the same authentication flow as the regular web UI. Mobile detects whether SAML SSO is enabled by making a call to {instance}/api/version. For example:

     

    
    throw 'allowIllegalResourceCall is false.';
    {
      "jiveVersion" : "7.0.0.0 ",
      "jiveCoreVersions" : [ {
      "version" : 2,
      "revision" : 3,
      "uri" : "/api/core/v2",
      "documentation" : "https://developers.jivesoftware.com/api/v3/rest"
      }, {
      "version" : 3,
      "revision" : 4,
      "uri" : "/api/core/v3",
      "documentation" : "https://developers.jivesoftware.com/api/v3/rest"
      } ],
      "instanceURL" : "https://yourcommunity.com",
      "ssoEnabled" : [ "saml" ],
    }
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    javascript:;
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

     

    Configuring SAML SSO with Mobile

    Enabling SAML SSO for Mobile requires very little extra configuration. When configuring Jive to use SAML SSO, no specific settings are required to enable mobile.  However, to make sure the SAML SSO timeout behaves correctly on a mobile device, make sure the auth.lifetime value in Jive has the same value as the SAML SSO timeout. If auth.lifetime is shorter than the SAML SSO timeout, the mobile app will ask to re-authenticate more frequently.

     

    Standard OAuth

    Jive Versions supported: 7.0.0+ and cloud

     

    In Jive 7, Jive removed basic auth as an authentication option for mobile apps. Instead, we use OAuth2 with the username/password grant. When users enter a username and password on the mobile device, all subsequent API calls go through OAuth instead of basic auth. This authentication method is much more secure, because the username and password are never stored on the mobile device.

     

    Configuring Standard OAuth with Mobile

    • 7.0.0.x: Contact Jive to get access to the Jive for iOS and Jive for Android* Add-ons.
    • Jive Cloud and 7.0.1+: Enable the Jive for iOS or Jive for Android* Add-ons. Jive Custom customers whose instances aren’t Internet-connected should contact Jive to get access.

    *Android releasing Q2 2014

     

    When you have the Jive for iOS or Jive for Android add-on installed through the Jive Add-ons interface, standard OAuth is the default configuration. If you have Community Manager rights or higher, you can use the Add-on settings in the menu under your name or avatar to configure the Mobile Add-on. For example, you can change the Access Token and Refresh Token timeout settings. The default settings are 48 hours for the Access Token and 15 years for the Refresh Token.

     

    If you also have SAML SSO enabled on the instance, and you prefer to use OAuth rather than SAML for mobile authentication only, please refer to "Forced OAuth for Mobile Only," below. If you want Mobile users to authenticate through SAML SSO, but you prefer different timeout settings for mobile devices, see "Initial Authentication Through SAML Followed by OAuth."

     

    Activity-Based OAuth

    Jive Versions supported: 7.0.1+ and Cloud

    Note: this option is not available for Jive 7.0.0x.

     

    You can choose to extend users’ access tokens based on continued activity. By default, users will be required to re-authenticate after 15 minutes of inactivity on the device. This method works like a very basic application lock. You set it up by setting the Refresh Token to time out earlier than the Access Token, which ensures the Access Token is not refreshed before the Refresh Token has expired.

     

    Configuring Activity-Based OAuth with Mobile

    1. Enable the Jive for iOS or Jive for Android* Add-ons.  Jive Custom customers whose instances aren’t Internet-connected should contact Jive to get access.
    2. If you have Community Manager rights or higher, use the Add-on settings in the menu under your name or avatar to configure the Mobile Add-on as follows:
    • Set the Access Token and Refresh Token timeout settings to very short intervals. The Refresh Token timeout setting should be at least 1 minute shorter than the Access Token timeout setting.
    • Select Automatically extend access token expiration upon activity.

    *Android releasing Q2 2014

     

    Initial Authentication Through SAML Followed by OAuth

    Jive Versions supported: 7.0.1+ and Cloud

    Note: this option is not available for Jive 7.0.0x.

     

    With this method, a user authenticates initially through SAML SSO. Then Jive Mobile converts the session to a longer-lived OAuth session. This is achieved by setting the Access Token and Refresh Token timeouts for the Add-on to an interval greater than the timeout settings of SAML SSO, thereby circumventing the timeout settings of both auth.lifetime (the Jive authentication session) and the SAML SSO session. Keep in mind that if you use the default values for the Access Token timeout (48 hours) and the Refresh Token timeout (15 years), the user will not need to log in again on mobile unless the device’s authentication is revoked or the values are changed.

     

    This method has the following advantages:

    • The user can revoke a device authenticated through SAML SSO, a feature that is not available by using regular SAML SSO login alone.
    • Users who authenticated through the mobile clients and the regular web UI can have different timeout settings, while using the same authentication login flow and the same IdP.

    Configuring Initial Authentication with SAML Followed by OAuth

    1. Enable the Jive for iOS or Jive for Android* Add-ons. Jive Custom customers whose instances aren’t Internet-connected should contact Jive to get access.
    2. If you have Community Manager rights or higher, use the Add-on settings in the menu under your name or avatar to configure the Mobile Add-on as follows:
    • Set the Access Token and Refresh Token timeouts for the Add-on to an interval greater than the timeout settings of SAML SSO.
    • Enable Allow this add-on to obtain an access token using an authenticated session. (Enabling this setting returns a 200 status code when /api/addons/<extensionUUID>/session-grant-allowed is passed. Otherwise, this call returns a 403 error.

    *Android releasing Q2 2014

     

    Forced OAuth for Mobile Only

    Jive Versions supported: 7.0.1+ and Cloud

    Note: this option is not available for Jive 7.0.0x.

     

    When SAML SSO is enabled on the instance, Mobile apps will follow the same authentication flow as the regular web interface. We have added an option to force OAuth for Mobile users only, even if the instance is configured with SAML SSO. If this setting is enabled, users accessing Jive on a mobile device will not use the SAML SSO login flow but instead enter a  username and password. They will then use as OAuth token for all subsequent API calls.

     

    Configuring Forced OAuth for Mobile Only

     

    The following instructions apply to Jive Custom and Jive Custom Hosted installations. Cloud community managers will need to file a request with Support to have this functionality enabled.

    1. Make sure a directory server such as LDAP is configured on the community.
    2. Add the system property jive.coreapi.force.oauth = true
    3. Verify that these settings have been applied. If they are working correctly, "ssoEnabled": ["saml"] should be removed when making a call to /api/version, as shown in the following example.
    throw 'allowIllegalResourceCall is false.';
    {
      "jiveVersion" : "7.0.0.0 ",
      "jiveCoreVersions" : [ {
      "version" : 2,
      "revision" : 3,
      "uri" : "/api/core/v2",
      "documentation" : "https://developers.jivesoftware.com/api/v3/rest"
      }, {
      "version" : 3,
      "revision" : 4,
      "uri" : "/api/core/v3",
      "documentation" : "https://developers.jivesoftware.com/api/v3/rest"
      } ],
      "instanceURL" : "https://yourcommunity.com",
    }