Introducing Native Mobile App Support

We are excited to announce a new feature for the Blue Button 2.0 API: Native Mobile App Support.

A Standards-based API

The Blue Button 2.0 API has always embraced being a developer-friendly, standards-based API. We are excited to support a new capability that has been released in the OAuth 2.0 specification, RFC 8252 - OAuth 2.0 for Native Apps. It is an authentication flow utilizing RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (better known as PKCE or “Pixie”) in conjunction with custom URI schemes to handle OAuth 2.0 redirects.

Implementing Native Mobile App Support in Your App

When you register an application with the Blue Button 2.0 API, you can enter a custom URI scheme as part of your redirect_uri. We recommend the use of a reverse DNS for your custom URI scheme.

Let’s use an example from the mobile app the Blue Button 2.0 engineering team created to test this new feature.

Since we own the domain: bluebutton.cms.gov

We created a reverse DNS custom URI:

gov.cms.bluebutton.oauthtester

We then added the path to our callback handler in our mobile app:

/oauth2redirect/example-provider

When we put the entire redirect_uri together we have:

gov.cms.bluebutton.oauthtester://oauth2redirect/example-provider

This is the value we enter in the redirect_uri field in the application form on https://sandbox.bluebutton.cms.gov/.

Why Use the Native Mobile App Support Feature?

Our Blue Button 2.0 developer community members are inventive. We have already seen some of you create mobile apps. Those apps invariably had to implement some type of proxy server that could handle a secure redirect over https/SSL and then push a notification to the mobile device that initiated the connection.

Native Mobile App Support enables the entire token exchange process that is required as a prerequisite to accessing the data in the Blue Button 2.0 API to take place on the mobile device. Most importantly, the inclusion of PKCE guards against a “man-in-the-middle” attack during the token exchange process.

For mobile app developers this allows integration with the Blue Button 2.0 API to happen entirely on the mobile device without any dependency on an intermediary server. The mobile app can be completely self-contained.

How to Get Started with Native Mobile App Support

Find documentation on Native Mobile App Support in the Blue Button documentation.

A coding example of an OAuth 2.0 and PKCE flow is available here: Authorization Code with PKCE Flow - OAuth 2.0 Playground

The Blue Button 2.0 engineering team has also created a sample Android application. You can review or fork the code here: https://github.com/CMSgov/bluebutton-sample-client-android

We are excited to release this new capability and look forward to seeing the exciting things you create. You can share what you’re working on and any feedback you have on the Google Group.


Earlier Blog Posts

Blog Index

Latest

Category:Latest

General

Category:General

Code

Category:Code

Back to top Subscribe to RSS Feed Comments via Google Group