Gartner Research

Building Authentication, Authorization and SSO Into API-Driven Apps

Published: 21 January 2020

ID: G00390369

Analyst(s): Erik Wahlstrom

Summary

Organizations must use standards when building authentication in native apps and modern web apps (aka SPAs and PWAs). This research helps security and risk management technical professionals focused on IAM to use OAuth 2.0 and OpenID Connect to balance cost, usability and security.

Table Of Contents

Analysis

  • The Evolving Landscape of SSO in Apps
  • Protecting APIs Used by Apps
  • “The Dance”
  • Browsers Are the Heart of SSO
  • Session Management — Keeping Access Tokens Up to Date
  • Increasing the Trust in Public Clients
  • Building Native Apps
  • Key Storage in Different Operating Systems
  • SSO Through Shared Key Stores for Native Apps
  • Hybrid Apps
  • Progressive Web Apps
  • Building Modern Web Apps
  • Key Stores in Browsers
  • Strengths
  • Weaknesses

Guidance

  • Avoid Proprietary Methods
  • Know Your OAuth 2.0 and OIDC Flows
  • Use Proven Client-Side Libraries
  • Follow the Principle of Least Privilege
  • Manage Consent
  • Use the AppAuth Pattern When Building Native Apps
  • Use the Legacy Implicit Flow for SPAs and PWAs — But Stay Up to Date
  • Terminate Sessions and Explicitly Delete and Invalidate Active Tokens

The Details

  • The Alternatives to Bearer Tokens
  • Support for Interapplication Communication in Operating Systems
  • Cross-Origin Resource Sharing (CORS)
  • Evaluation Criteria for Native App Libraries
  • Evaluation Criteria for Modern Web App Libraries
  • Commonly Used Libraries for Native Apps
  • Commonly Used Libraries for Modern Web Apps

Evidence

Gartner Recommended Reading

©2021 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. and its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. It consists of the opinions of Gartner’s research organization, which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner research may address legal and financial issues, Gartner does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by Gartner’s Usage Policy. Gartner prides itself on its reputation for independence and objectivity. Its research is produced independently by its research organization without input or influence from any third party. For further information, see Guiding Principles on Independence and Objectivity.

Already have a Gartner Account?

Become a client

Learn how to access this content as a Gartner client.