Re: [OAUTH-WG] Native Application Text
Anthony Nadalin <tonynad@microsoft.com> Wed, 06 July 2011 22:42 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5997021F8B28 for <oauth@ietfa.amsl.com>; Wed, 6 Jul 2011 15:42:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.466
X-Spam-Level:
X-Spam-Status: No, score=-7.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G9rDSzCaIi9W for <oauth@ietfa.amsl.com>; Wed, 6 Jul 2011 15:42:40 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 5AC2321F8B1D for <oauth@ietf.org>; Wed, 6 Jul 2011 15:42:40 -0700 (PDT)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 6 Jul 2011 15:42:33 -0700
Received: from CH1EHSOBE005.bigfish.com (157.54.51.113) by mail.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.1.289.8; Wed, 6 Jul 2011 15:42:33 -0700
Received: from mail151-ch1-R.bigfish.com (216.32.181.172) by CH1EHSOBE005.bigfish.com (10.43.70.55) with Microsoft SMTP Server id 14.1.225.22; Wed, 6 Jul 2011 22:42:31 +0000
Received: from mail151-ch1 (localhost.localdomain [127.0.0.1]) by mail151-ch1-R.bigfish.com (Postfix) with ESMTP id EB53015A82CF for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 6 Jul 2011 22:42:31 +0000 (UTC)
X-SpamScore: -22
X-BigFish: PS-22(zz9371Mc857hzz1202h1082kzz1033IL8275bh8275dhz31h2a8h668h839h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:157.55.61.146; KIP:(null); UIP:(null); IPV:SKI; H:CH1PRD0302HT008.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail151-ch1: transitioning domain of microsoft.com does not designate 157.55.61.146 as permitted sender) client-ip=157.55.61.146; envelope-from=tonynad@microsoft.com; helo=CH1PRD0302HT008.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail151-ch1 (localhost.localdomain [127.0.0.1]) by mail151-ch1 (MessageSwitch) id 1309992151623928_10406; Wed, 6 Jul 2011 22:42:31 +0000 (UTC)
Received: from CH1EHSMHS013.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.251]) by mail151-ch1.bigfish.com (Postfix) with ESMTP id 935B685004B; Wed, 6 Jul 2011 22:42:31 +0000 (UTC)
Received: from CH1PRD0302HT008.namprd03.prod.outlook.com (157.55.61.146) by CH1EHSMHS013.bigfish.com (10.43.70.13) with Microsoft SMTP Server (TLS) id 14.1.225.22; Wed, 6 Jul 2011 22:42:27 +0000
Received: from CH1PRD0302MB115.namprd03.prod.outlook.com ([169.254.1.239]) by CH1PRD0302HT008.namprd03.prod.outlook.com ([10.28.29.127]) with mapi id 14.01.0225.056; Wed, 6 Jul 2011 22:42:27 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: "William J. Mills" <wmills@yahoo-inc.com>, "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Native Application Text
Thread-Index: Acw16NyZvC61BBzbTqSOVSJ2OxoVBgAFBNQAAYUdjYA=
Date: Wed, 06 Jul 2011 22:42:26 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E723154796@CH1PRD0302MB115.namprd03.prod.outlook.com>
References: <B26C1EF377CB694EAB6BDDC8E624B6E723143605@CH1PRD0302MB115.namprd03.prod.outlook.com> <1309311376.66076.YahooMailNeo@web31811.mail.mud.yahoo.com>
In-Reply-To: <1309311376.66076.YahooMailNeo@web31811.mail.mud.yahoo.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.28.29.114]
Content-Type: multipart/alternative; boundary="_000_B26C1EF377CB694EAB6BDDC8E624B6E723154796CH1PRD0302MB115_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: CH1PRD0302HT008.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%YAHOO-INC.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14MLTC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC103.redmond.corp.microsoft.com
Subject: Re: [OAUTH-WG] Native Application Text
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jul 2011 22:42:41 -0000
I assume you are referencing 4.3.2? I think of that as a normal flow that not specific to native applications. What is pointed out here is the authorization code grant flow and the case you point out is covered in 1.4.3 From: William J. Mills [mailto:wmills@yahoo-inc.com] Sent: Tuesday, June 28, 2011 6:36 PM To: Anthony Nadalin; OAuth WG (oauth@ietf.org) Subject: Re: [OAUTH-WG] Native Application Text You text does not mention what will be a common use case, where the native app uses the password grant to fetch a refresh and access token. Whether or not an app can keep a secret, it's better to have it store the token than the username/password pair. ________________________________ From: Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>> To: "OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)" <oauth@ietf.org<mailto:oauth@ietf.org>> Sent: Tuesday, June 28, 2011 6:15 PM Subject: [OAUTH-WG] Native Application Text 9. Native Applications A native application is a client which is installed and executes on the end-user's device (i.e. desktop application, native mobile application, etc.). Native applications may require special consideration related to security, platform capabilities, and overall end-user experience. The following are examples of how native applications may utilize OAuth: o Initiate an Authorization Request using an external user-agent: The native application can capture the response from the authorization server using a variety of techniques such as the use of the various methods for redirection including a URI identifying a custom URI scheme (registered with the operating system to invoke the native application as handler), manual copy-and-paste, running a local webserver, browser plug-ins, or by providing a redirection URI identifying a server-hosted resource under the native application's control, which in turn makes the response available to the native application. o Initiate an Authorization Request using an embedded user-agent: The native application obtains the response by directly communicating with the embedded user-agent. Techniques include monitoring state changes emitted during URL loading, monitoring http headers, accessing the user-agent's cookie jar, etc. When choosing between launching an external user-agent and an embedded user-agent, native application developers should consider the following: o External user-agents may improve completion rate as the end-user may already have an active session with the authorization server removing the need to re-authenticate, and provide a familiar user-agent user experience and functionality. The end-user may also rely on extensions or add-ons to assist with authentication (e.g. password managers or 2-factor device reader). o Embedded user-agents may offer an improved end-user flow, as they remove the need to switch context and open new windows. o Embedded user-agents pose a security challenge because end-users are authenticating in an unidentified window without access to the visual protections found on by many of the external user-agents. Embedded user-agents educate end-user to trust unidentified requests for authentication (making phishing attacks easier to execute). When choosing between implicit and authorization code grant types, the following should be considered: o Native applications that use the authorization code grant type flow SHOULD do so without using client password credentials, due to the native application’s inability to keep those credentials secure. o When using the implicit grant type flow a refresh token is not returned _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Native Application Text Anthony Nadalin
- Re: [OAUTH-WG] Native Application Text William J. Mills
- Re: [OAUTH-WG] Native Application Text Mark Mcgloin
- Re: [OAUTH-WG] Native Application Text Anthony Nadalin
- Re: [OAUTH-WG] Native Application Text Eran Hammer-Lahav