Can anyone at Sharefile Engineering Answer the following questions:
1. Does the ShareFile API support PKCE and the IETF ‘AppAuth’ pattern, to allow secure access from a native app which cannot protect a client_secret? (refs - https://tools.ietf.org/html/rfc7636, https://tools.ietf.org/html/rfc8252)
2. If the answer to (1) is ‘yes’, does it support refresh tokens, and are there any limits to the period over which token refreshing can be used without re-entry of user credentials?
3. (How) could a ShareFile account be configured for create-only access to a fileshare? i.e. a set of credentials that could be used via the OAuth2 Password grant API to create folders and files, but whereby the same account credentials could not be used (neither by an end-user nor programmatically via the API) to read, modify or erase those same folders and files that were created via that account. (Ref - https://api.sharefile.com/rest/oauth2-password.aspx)
4. Are there any other methods a native iOS app could use to secure direct write access to ShareFile, without MDM in place?
There are also questions we can ask about future approaches with MDM in place. I’m not sure whether you want those questions at this stage. Such questions for Citrix would include:
M1. Can XenMobile + ShareFile support a certificate-based authentication approach, whereby a certificate is provisioned onto the iPad during initial setup via MDM, and then leveraged by a native app (MDX-wrapped if necessary) to secure write access to ShareFile? If so, how exactly would the native app achieve this?
M2. Same question as M1, except using a credentials-based approach, where ShareFile account credentials are entered during provisioning. (If there is a requirement for periodic re-entry of credentials, please clarify).
Not sure what's going on with 1 and 2. I know you can get an OAUTH token for 2.0 and it can refresh itself.
3 sounds like the request is to create a user who can upload files and create Share links in a folder, but not view or delete the file. You need to be able to download in order to create a Share link so the rough answer is no, because you need to be able to view/download the file in order to create a Share link anyway.
4, to my knowledge, is as long as you're authenticated, you can write to ShareFile (i.e. upload files), so if your app has a way to authenticate outside of using the API, sure? I'm just not aware of one, personally.
I'm not able to answer the Xenmobile-related questions at all, unfortunately.