Develop the client app Skip Navigation
  1. BlackBerry Docs
  2. 12.16
  3. BlackBerry Web Services OAuth Implementation Guide
  4. Using the OAuth client credentials grant type with an enterprise app
  5. Develop the client app

Develop the client app

After you or a 
UEM
 administrator configure the app resources in BlackBerry Online Account, you can develop the client app that will invoke the 
BlackBerry Web Services
 REST APIs using OAuth. You can use any programming language that supports OAuth.
Download and review the sample apps to see examples of OAuth implementation. For example, SampleWithClientCredsAndClientSecret.java demonstrates how the client ID and client secret are passed on the command line to 
BlackBerry Enterprise Identity
 for authentication. 
BlackBerry Enterprise Identity
 provides a service token with a 10 minute expiry.
Note the following requirements for the app:
  • You must configure the client app to use the client ID and client secret (if you selected client_secret_basic token endpoint authentication) or the client ID and and a private key (if you selected private_key_jwt). This information must be stored securely.
  • The authentication scope for requesting tokens from 
    BlackBerry Enterprise Identity
     and invoking the REST APIs is 
    MDMBWS.All
    .
  • The app must be able to handle a change in 
    BlackBerry Enterprise Identity
     keys at any time. To avoid a load spike in key rollover and some failure scenarios, design the app to do the following:
    • Cache a local copy of the 
      BlackBerry Enterprise Identity
       public key set on a periodic basis (max 24 hours).
    • When validating the 
      BlackBerry Enterprise Identity
       token signature, find the correct key by searching the local key set copy using the key id (kid) identified in the JWT header.
    • If the kid cannot be found in the local key set copy, and if the last copy is older than a configurable amount of time (minimum 30 mins), load the key set directly from 
      BlackBerry Enterprise Identity
      . This covers emergency key rolling within the 24 hour period and throttles key set requests sent to 
      BlackBerry Enterprise Identity
       in failure scenarios.
  • If the app uses private_key_jwt token endpoint authentication and can roll its keys, 
    BlackBerry Enterprise Identity
     requires the app to follow the key rolling recommendations in the OpenID Connect spec.
When you are ready to deploy the app to users, coordinate with the 
UEM
 administrator to enable the app in UEM.