Integrating MobileFirst and Cloudant security

Adapter sample

To download the sample, see Sample: mfp-bluelist-on-premises.

To understand the MobileFirst adapter that is included with the Bluelist sample, you must understand both Cloudant® security and MobileFirst security framework.

The Bluelist adapter sample has two primary functions:

Exchange MobileFirst OAuth tokens for Cloudant session cookies
Perform the required admin requests to Cloudant from the Bluelist sample.

The sample demonstrates how to perform API requests that require admin access on the server where it is secure. While it is possible to place your admin credentials on the mobile device, it is a better practice to restrict access from mobile devices.

The Bluelist sample integrates MobileFirst security with Cloudant security. The MobileFirst adapter sample maps a MobileFirst identity to a Cloudant identity. The mobile device receives a Cloudant session cookie to perform non-admin API requests. The sample uses the Couch Security model.

Enroll REST endpoint

The following diagram illustrates the integration performed by the Bluelist adapter sample /enroll endpoint.

See following text for description of diagram

Mobile device obtains the MobileFirst OAuth token from the MobileFirst Server.
Mobile device calls the /enroll endpoint on the MobileFirst adapter.
The MobileFirst adapter sample validates the MobileFirst OAuth token with the MobileFirst Server.
If valid, performs admin API requests to Cloudant . The sample checks for an existing Cloudant user in the _users database.
- If the user exists, look up Cloudant user credentials in the _users database.
- If a new user is passed, use the Cloudant admin credentials, create a new Cloudant user and store in the _users database.
- Generate a unique database name for the user and create a remote database on Cloudant with that name.
- Give the Cloudant user permissions to read/write the newly created database.
- Create the required indexes for the Bluelist application.
Request a new Cloudant session cookie.
The MobileFirst adapter sample returns a Cloudant session cookie, remote database name, and Cloudant URL to the mobile device.
Mobile device makes requests directly to Cloudant until the session cookie expires.

sessioncookie REST Endpoint

In the case of an expired session cookie, the mobile device can exchange a valid MobileFirst OAuth token for a Cloudant session cookie with the /sessioncookie endpoint.