Develop the client app
After you configure the app resources in BlackBerry Online Account, you can develop the app that will invoke the
BlackBerry Web ServicesREST APIs using OAuth. You can use any programming language that supports OAuth.
Download and review the sample apps to see examples of OAuth implementation. The SampleWithAuthorizationCodeAndClientSecretRefreshToken.ps sample demonstrates the use of the authorization_code grant type with a refresh token that can be used to request a new access token from
BlackBerry Enterprise Identityon expiry. The refresh token expiry is 1 year, and it must be stored securely. A new refresh token is provided with a new access token.
Note the following requirements for the app:
- Structure the app so that customer can configure the app to use the client ID and client secret (if you selected client_secret_basic token endpoint authentication) or the client ID and a private key (if you selected private_key_jwt). This information must be stored securely.
- The app must support browser-based user authorization and redirects fromBlackBerry Enterprise Identity.
- To receive an access token fromBlackBerry Enterprise Identity, the customer's end users must provide the credentials of aUEMadministrator when they are prompted.
- If you want the app to continue working in unattended mode after initial authentication, the app can use a refresh token to get a new access token on its expiry. As long as the app continues to use the refresh token, it can run in unattended mode perpetually.
- The authentication scope for requesting tokens fromBlackBerry Enterprise Identityand invoking the REST APIs isopenid MDMBWS.All. If you want to use refresh tokens, useopenid offline_access MDMBWS.All.
- The app must be able to handle a change inBlackBerry Enterprise Identitykeys at any time. To avoid a load spike in key rollover and some failure scenarios, design the app to do the following:
- Cache a local copy of theBlackBerry Enterprise Identitypublic key set on a periodic basis (max 24 hours).
- When validating theBlackBerry Enterprise Identitytoken signature, find the correct key by searching the local key set copy using the key id (kid) identified in the JWT header.
- If the kid cannot be found in the local key set copy, and if the last copy is older than a configurable amount of time (minimum 30 mins), load the key set directly fromBlackBerry Enterprise Identity. This covers emergency key rolling within the 24 hour period and throttles key set requests sent toBlackBerry Enterprise Identityin failure scenarios.
- If the app uses private_key_jwt token endpoint authentication and can roll its keys,BlackBerry Enterprise Identityrequires the app to follow the key rolling recommendations in the OpenID Connect spec.