It is permitted for roles in the network to expose their functionality as a native mobile app, instead of a (responsive) website. This section descibes the conditions which apply, and the desired message flows.
A native app is considered another representation of a website. All requirements for website-based systems still apply (such as, but not limited to Richtlijnen naam- en merkgebruik eHerkenning, Richtlijnen communicatie Idensys and Gebruikersinterface).
Deelnemers and DV's SHOULD implement OAuth2 protocol according to IETF RFC 6749 and IETF RFC 7636 and the interface specifications for native apps as defined in the Afsprakenstelsel. For further threat model and security considerations they SHOULD apply IETF RFC 6819.
To ensure maximum security, a native app MUST have an accompanying back end.
The back end MUST:
- Take adequate measures to make sure the native app is trusted and legitimate
- Check that all communication between app and backend share the same session and is secure
The native app MUST:
- Implement security best practices, such as hardening and implementing standards like the draft IETF RFC 'OAuth 2.0 for Native Apps' and the OWASP mobile security project.
A Dienstverlener (DV) MUST register the endpoint used for the native app in the DV metadata for HM, so during authentication, the HM can direct the user back to the app using the appropriate endpoint.
For the message flow, please refer to Introduction OAuth2 specifications for native apps.