Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry Web Services 12.13
  3. BlackBerry Web Services OAuth Implementation Guide
  4. Using OAuth with a third-party app in a cloud environment
  5. Develop the client app

Develop the client app

After you configure the app resources in BlackBerry Online Account, you can develop the client app that will invoke the 
BlackBerry Web Services
 REST APIs using OAuth. You can use any programming language that supports OAuth.
Download and review the sample apps to see examples of OAuth implementation. The SampleWithAuthorizationCodeAndClientSecretRefreshToken.ps sample demonstrates the use of the authorization_code grant type with a refresh token that can be used to request a new access token from 
BlackBerry Enterprise Identity
 on expiry. The refresh token expiry is 1 year, and it must be stored securely. A new refresh token is provided with a new access token.
Note the following requirements for the app:
  • You must configure the client app to use the client ID and client secret (if you selected client_secret_basic token endpoint authentication) or the client ID and and a private key (if you selected private_key_jwt). This information must be stored securely.
  • The app must support browser-based user authorization and redirects from 
    BlackBerry Enterprise Identity
    .
  • To receive an access token from 
    BlackBerry Enterprise Identity
    , the end user must provide the credentials of a 
    UEM
     administrator when they are prompted.
  • If you want the app to continue working in unattended mode after initial authentication, the app can use a refresh token to get a new access token on its expiry. As long as the app continues to use the refresh token, it can run in unattended mode perpetually.
  • The authentication scope for requesting tokens from 
    BlackBerry Enterprise Identity
     and invoking the REST APIs is 
    openid MDMBWS.All
    . If you want to use refresh tokens, use 
    openid offline_access MDMBWS.All
     .
  • The app must be able to handle a change in 
    BlackBerry Enterprise Identity
     keys at any time. To avoid a load spike in key rollover and some failure scenarios, design the app to do the following:
    • Cache a local copy of the 
      BlackBerry Enterprise Identity
       public key set on a periodic basis (max 24 hours).
    • When validating the 
      BlackBerry Enterprise Identity
       token signature, find the correct key by searching the local key set copy using the key id (kid) identified in the JWT header.
    • If the kid cannot be found in the local key set copy, and if the last copy is older than a configurable amount of time (minimum 30 mins), load the key set directly from 
      BlackBerry Enterprise Identity
      . This covers emergency key rolling within the 24 hour period and throttles key set requests sent to 
      BlackBerry Enterprise Identity
       in failure scenarios.
  • If the app uses private_key_jwt token endpoint authentication and can roll its keys, 
    BlackBerry Enterprise Identity
     requires the app to follow the key rolling recommendations in the OpenID Connect spec.
When the app is ready to deploy to the customer’s users, coordinate with the 
UEM
 administrator to enable the app in UEM.