Box.com authentication for federated enterprise account

Question

I am new to box API. I have created an universal iOS app for an enterprise. Now I need to integrate Box.com with my app. In the app, We want user to browse data from multiple servers as well as from Box. User can view/download the documents from box folder and save it to iOS devices.

The enterprise will create its user's account in the box. User logs in to the box using his/her corporate email ids.

I have downloaded sample code for iPhone 'BoxSDK' in which they included Box.framework. and just called 'initiateLoginUsingURLRedirectWithCallbacks' method of Box. and app redirect to Safari and after authentication it again launches the app using openURL.

I have some questions:

1)Is OAuth2.0 needed for logging in to enterprise account?

2)If yes, Why it is needed? what is importance of it?

3)How to use it?(I have downloaed sample for OAuth for iOS. But it does not contain any UI part.)

I have referred Box documentation/ authentication guide->OAuth2. In that they have described the settings for an enterprise application which are suppose to be done from admin side. So How it will affect client side(iOS device)?

4)What will be difference in webservices explained in authentication guide->OAuth2 for enterprise acc vs personal account?

Thanks!

Answer 1

some great philosophical questions about OAuth2. Let me try to answer them, but I'm afraid that a longer response will have to wait for a blog post, since I've been working on writing one up that explains why Enterprises want OAuth2 for authenticating their users.

So, you have figured right. OAuth2 is require in order to sign in a user, and that is largely due to security and privacy that is requested by both Enterprise, as well as individual users. Much like FaceBook and Google moved in 2011 to requiring users of apps to sign in with OAuth2, Box has moved that direction as well. Simply put, there were some holes and problems with OAuth1 that are solved if you implement OAuth2 carefully.

The OAuth2 standard, as has been pointed out by many tech bloggers and security pundits is not a perfect standard. It is more a set of guidelines, and those guidelines could allow an implementer to create a not-very-secure authentication mechanism. We have tried to avoid those security problems and provide the most security for our users that is possible, without making it too hard for them to authenticate into Box.

For your third question, how to use it? I suggest you read our docs on it: http://developers.box.com/oauth/. It's fairly involved, and you'll need to setup a client-side listener so that our servers can open a https callback and give you the token for the user, once they've finished their browser session authenticating with Box.

As far as there being differences for Enterprise vs Personal accounts. We don't really see them as having a different level of desired security. Many of our Personal and small business users want as much of the same security that we give our Enterprise customers. And while we don't offer every security feature to Personal customers (such as 2-factor auth), we do offer OAuth2 security to them.

Hope that helps. This isn't a normal stack-overflow type tech question with code snippets to explain things, but hopefully I've answered your questions.