Travis Spencer's presentation at API Days London 2023.
More on the Hypermedia Authentication API:
https://curity.io/product/authentication-service/authentication-api/
2. • Avoid drop off during login
• Brand presentation
• Safe login options
• UX must be great
Mobile Experiences Demand Unique
Solutions to Challenging Problems
3. Challenges
• Login is a complex process
• Technology is constantly changing
• Common approaches introduce friction
• Mobile execution environment is often compromised
• Non-experts are inventing unsafe APIs shoehorned into OAuth
4. HAAPI is a Better Solution
• User authentication without a browser
• Use any authentication mechanism
• User journey orchestrations can be executed
• Localized & branded
• Keep using existing OAuth clients
7. API
Token Management
App to Server (back-channel)
User Authentication
Browser to Server (front-channel)
Authenticators
Actions
Authentication
8. API
Token Management
App to Server (back-channel)
User Authentication
Browser to Server (front-channel)
Server-side HTML rendering
with page post-backs Authenticators
Actions
Authentication
9. API
Token Management
App to Server (back-channel)
User Authentication
Browser to Server (front-channel)
API Authenticators
Actions
Authentication
10. API
Token Management
App to Server (back-channel)
User Authentication
API Authenticators
Actions
Remove the need for the browser
13. Initial request
Authentication Step – Available Actions and Links
User provided information
Hypermedia
Authenticators
Actions
Hypermedia-based API
14. Initial request
Authentication Step – Available Actions and Links
User provided information
Hypermedia
Authenticators
Actions
Hypermedia-based API
15. Initial request
Authentication Step – Available Actions and Links
User provided information
Authentication Result
Hypermedia
Authenticators
Actions
Hypermedia-based API
18. • All HAAPI calls subject to access control
• API available only for explicitly authorized clients
• Using proof-of-possession access tokens
• Additional security measures (e.g., clock skew protection)
• Client application attestation
Security
20. Summary
• Mobile login is hard for various reasons
• HAAPI provides a better solution than alternatives
• Works with OAuth and OpenID Connect to avoid browser-
based login
• Security is enhanced by client attestation