I am designing security in a public native mobile application for iOS and Android which is using publicly available API using WSO2 Api Manager (APIM).
As such I understand the security issues that are related to this setup and I would like to apply OAuth2 for native apps (according RFC 8252).
I understand that the first thing that such application should do is to register with WSO2 APIM server through the interface described in Store API in order to receive unique consumer key/secret for every application, which is Dynamic Client Registration (DCR).
The following is sample of request that should be sent in order to get keys:
curl -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d @payload.json https://localhost:9443/client-registration/v0.11/register
To do such request, it should be secured using TLS 1.2 and there is a Basic Authorization using username/password of WSO2 APIM (which in this case is Base64 encoded admin:admin
)
I understand that it should be protected at least by Basic Authorization to provide some security against DoS attacks, but on the other hand that means that the application should be distributed with username:password
in order to be able to do DCR.
And if it will be distributed with this information then everyone can get the information and request for example malicious application registration.
How is the native mobile application handled in order to register in WSO2 APIM securely? I think that there is something missing in my understanding of how it works.
Does it mean that the user who installed the mobile application should have its own account on WSO2 APIM and should provide credentials right after installation?
What about situation when the user does not have credentials in WSO2 APIM but has credentials for backend service that is accessed through API from WSO2 APIM? Can such credentials be used in order to register application through DCR of WSO2 APIM? (currently the backend and WSO2 APIM authentication has no integration)