Reputation: 29
"Re-enabling" App Authenticity in Mobilefirst 8.0 not working
During App Authenticity testing in MobileFirst 8.0, I found a strange behavior in switching between enable and disable of App Authenticity setting on Console, using an (Android) app's debug package and release package:
Followed the instruction of signing the app (release package) with mfp-app-authenticity-tool.jar tool, registered .authenticity_data file via Console, and set Security-Check Configurations of the app to use appAuthenticity setting with Expiration Period value.
(For initial connection) After installing the release version of the app on a device, the app successfully connects to MFF Server and calls an adapter.
(After removing the release version of the app from the same device) Installed debug version of the app on the device, and the app fails to connect to MFF Server, as expected.
Disabled App Authenticity by deleting Authenticity File on Console, the debug version of the app on the device successfully connects to MFF Server and calls an adapter.
"Re-enabled" App Authenticity with same instructions as the first step, but the debug version of the app still can connect to MFF Server and calls an adapter. I understand that there's Maximum Token-Expiration Period and Expiration Period setting, but I set both value to 60 seconds for just testing. (Reinstalling the debug version of the app and testing the action without changing on Server gives an expected behavior - i.e. not able to connect.)
I'm wondering if this is normal behavior of enabling / disabling App Authenticity setting in real-time on Console.. and if the feature is designed for just one set of actions of Enable -> Disable only.
Any thought?
Thanks!
Upvotes: 0
Views: 312
Answers (1)
Reputation: 49421
By default, App Authenticity is only being checked during the client registration process. Which means that the next time you connect to the server, it will not be checked.
In order to run App Authenticity on every token request, add appAuthenticity to the Mandatory scope section on your application in the console. Then set the expirationSec to 60 seconds for example.
The tutorial was adjusted to clarify this: https://mobilefirstplatform.ibmcloud.com/tutorials/en/foundation/8.0/authentication-and-security/application-authenticity/#configuring-application-authenticity
Upvotes: 1
Related Questions
- IBM MobileFirst Foundation v8 "Access Disabled" gives 500 error
- IBM MobileFirst 8.0 WLAuthorizationManager.obtainAccessToken() No Response
- IBM MobileFirst: Application Authenticity rejection despite the application's authentic identity?
- APPLICATION_DOES_NOT_EXIST for MobileFirst 8.0 Security Authentication?
- App authenticity is giving a different error
- Trying to do App Authenticity and during client.connect() getting "App authenticity security check failed"
- IBM MobileFirst. Cannot create .wlapp with extended authenticity enabled
- Will IBM MobileFirst provide a validation I'd after app authenticity
- XML Validation Error Mobilefirst App Authenticity
- How to disable app authenticity on IBM MobileFirst 7.1 remote server?