Develop the client app
After you or a
UEMadministrator configure the app resources in BlackBerry Online Account, you can develop the client app that will invoke the
BlackBerry Web ServicesREST APIs using OAuth. You can use any programming language that supports OAuth.
Download and review the sample apps to see examples of OAuth implementation. For example, SampleWithClientCredsAndClientSecret.java demonstrates how the client ID and client secret are passed on the command line to
BlackBerry Enterprise Identityfor authentication.
BlackBerry Enterprise Identityprovides a service token with a 10 minute expiry.
Note the following requirements for the app:
- You must configure the client app to use the client ID and client secret (if you selected client_secret_basic token endpoint authentication) or the client ID and and a private key (if you selected private_key_jwt). This information must be stored securely.
- The authentication scope for requesting tokens fromBlackBerry Enterprise Identityand invoking the REST APIs isMDMBWS.All.
- The app must be able to handle a change inBlackBerry Enterprise Identitykeys at any time. To avoid a load spike in key rollover and some failure scenarios, design the app to do the following:
- Cache a local copy of theBlackBerry Enterprise Identitypublic key set on a periodic basis (max 24 hours).
- When validating theBlackBerry Enterprise Identitytoken signature, find the correct key by searching the local key set copy using the key id (kid) identified in the JWT header.
- If the kid cannot be found in the local key set copy, and if the last copy is older than a configurable amount of time (minimum 30 mins), load the key set directly fromBlackBerry Enterprise Identity. This covers emergency key rolling within the 24 hour period and throttles key set requests sent toBlackBerry Enterprise Identityin failure scenarios.
- If the app uses private_key_jwt token endpoint authentication and can roll its keys,BlackBerry Enterprise Identityrequires the app to follow the key rolling recommendations in the OpenID Connect spec.
When you are ready to deploy the app to users, coordinate with the
UEMadministrator to enable the app in UEM.