IETF Logo Mail Archive

[OAUTH-WG] Authorization handover from mobile app to website

"SOMMER, DOMINIK" <dominik.sommer@milesandmore.com> Fri, 12 March 2021 18:19 UTC

Return-Path: <prvs=698e36821=dominik.sommer@milesandmore.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF5223A1A20 for <oauth@ietfa.amsl.com>; Fri, 12 Mar 2021 10:19:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.366
X-Spam-Level:
X-Spam-Status: No, score=-2.366 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=milesandmore.com header.b=jxgbhmr9; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=lufthansagroup.onmicrosoft.com header.b=scrcUNa+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2Qdl90q36G6 for <oauth@ietfa.amsl.com>; Fri, 12 Mar 2021 10:19:14 -0800 (PST)
Received: from mx1.lhsystems.com (mx1.lhsystems.com [80.77.214.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BF5B3A1A1E for <OAUTH@ietf.org>; Fri, 12 Mar 2021 10:19:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=milesandmore.com; i=@milesandmore.com; q=dns/txt; s=ibmqlh-201908-AACwux8Wm9; t=1615573153; x=1647109153; h=from:to:subject:date:message-id:mime-version; bh=+iWRO4JJCw1G/C+qRBn7/EpGddU+UA4ZSSyACF4U+4g=; b=jxgbhmr946MXdNW8iNwHHCSWzS4ieqlnV/IKE8klwyy5YYGaSbydFa5t XFbpdtZz8FCF4xrQZcsTyrmcBdWm+cuz9BrC6I47AkMFj/SC8TLyFmS2Z 312Y8/qKz5jgR36s7hbixRUqMG7kVwigsf+Cg8l6tKqfAKr6f0PnxTsAD g=;
IronPort-SDR: MLrq7kbDxUV923Xr5CuZylmRwJsUYqHpIzVSfgWe/ubEi96EVXEUkJSCS9/IYsNzcS2Ws58Ttq DqalSAnJYliA==
X-IronPort-Anti-NAV: true
X-TimeStamp-GMT1: 12 Mar 2021 18:19:07 -0000
Received: from unknown (HELO smailin.ads.dlh.de) ([10.244.199.167]) by mx1.lhsystems.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA; 12 Mar 2021 19:19:07 +0100
Received: from SW-FRAADS-EDG01.cns.fra.dlh.de (57.20.0.10) by SW-FRAADS-HUB46.ads.dlh.de (10.244.199.167) with Microsoft SMTP Server (TLS) id 14.3.498.0; Fri, 12 Mar 2021 19:19:06 +0100
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (104.47.17.168) by mxO365.app.lufthansa.com (80.77.212.234) with Microsoft SMTP Server (TLS) id 14.3.498.0; Fri, 12 Mar 2021 19:19:04 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CFbQQRlor4MbeUGpmm+q0m0fUMmXEkLNEP6V4AAHZUt+ri7fIXUXe57NrsYPrEH5V6AjtBtBekpS7w00R8fZrSviuhvUN7wmz+QjS0waMJ7on3B/7xgYmd1tn3rFoUbplMTXjADtDODX1cZTucbV0hqU3hRvm76BFmwtOn4Cf0auANGR0kin9MVda09yMdqfE3EJY80GcRQDmgRT7UuMP7PM3Pvfoe8fdaBfep3in9IQQ3ca+y9ugHkYq7RJmKD1RGJmEhpPffmVINwGptLdUkWVXfmumsGPHlTKknbhat9JqVvmMB1bRgKd1BRu/feCAzvknn4n4cxILrHlBtUP5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v9abptkQSrcZG+b/bLhj8zOnQIktKGiYq/ImR7XOOaw=; b=c8AKWHdMVI1DpQ0STQwzJUXZj5aJ08g4OqaxyDWCtiObgPX/42lUX4E7SxV+cVZPpmhVij62kI1nmOSDOjt14HzVqaPwFVvuDqEhV2GOaR8I12cFTL4qW7h3CijVWQUOG3Wg7to0OSkTfPBZM/CSaP03rvPo0sIoDFuqreD+ElikJ4MBf5PGAi3URni4lsIzTWpvmU2EAVWcgjMojJTRbXYE/bepY0RPMP0npcfzkRxWFh8OU3Uv0DhRoi/TEnDnYyF85PNnA0BvYlwkxACRuucBS1coSmAut96Tj/22Q65i+yligfyLk7eCV7V/wz2v9P7jCe566wgE70EoXd8qBQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=milesandmore.com; dmarc=pass action=none header.from=milesandmore.com; dkim=pass header.d=milesandmore.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lufthansagroup.onmicrosoft.com; s=selector1-lufthansagroup-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=v9abptkQSrcZG+b/bLhj8zOnQIktKGiYq/ImR7XOOaw=; b=scrcUNa+fldIdpBYumd5g5tdR7mAfVyzc0NbADtLUNFRtuUjrjqmrtRm9iwqFeME/Vs90onf/Kh5keemPwobaOAW96pC9UZ5H//4Xj3iFT1fmaDaQZRs1+ybO/CjX/n6ZIUGQATo4l5H+Dsww6nlvryPJiA4U0GqI+xw1CRvDc4=
Received: from AM0PR09MB2803.eurprd09.prod.outlook.com (2603:10a6:208:12a::26) by AM0PR09MB4148.eurprd09.prod.outlook.com (2603:10a6:208:1a0::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.17; Fri, 12 Mar 2021 18:19:05 +0000
Received: from AM0PR09MB2803.eurprd09.prod.outlook.com ([fe80::8f3:8afe:b1ac:a202]) by AM0PR09MB2803.eurprd09.prod.outlook.com ([fe80::8f3:8afe:b1ac:a202%5]) with mapi id 15.20.3933.031; Fri, 12 Mar 2021 18:19:05 +0000
From: "SOMMER, DOMINIK" <dominik.sommer@milesandmore.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Authorization handover from mobile app to website
Thread-Index: AdcXaacLNtOdMDj0St6EfHA8PBlqLQ==
Date: Fri, 12 Mar 2021 18:18:43 +0000
Deferred-Delivery: Fri, 12 Mar 2021 18:12:45 +0000
Message-ID: <AM0PR09MB2803A357A8B7E19CEC415A52F36F9@AM0PR09MB2803.eurprd09.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=milesandmore.com;
x-originating-ip: [62.216.200.116]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2a513c5b-2d41-4a4a-a818-08d8e5835248
x-ms-traffictypediagnostic: AM0PR09MB4148:
x-microsoft-antispam-prvs: <AM0PR09MB4148D47B7AB1F6BA1A85892AF36F9@AM0PR09MB4148.eurprd09.prod.outlook.com>
x-eop: bypass_spam_filtering
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: s9+nU3F7We91yrHDxyY7Hr9ojAEoSXxl0ya/j4OA0Gy/ZjGI6EHQ5P1QEN6B8j31RvxPL8EWGvZSNqA7k7ekPTzNfujdS0+AmfL7VGdWafUzcR06unPL/tg8Q+3haig7E7Zbk/rGYEqwT5OqyaRvw7+pYRa8UoGE6HpkR7tf6gQcml43hHr/znJMVaapznftav2l10V5kVD8zlg3lj00KrV6fupJLMtOzZL/rqREiLXcdFOEnIO0tNWhieYliegcE+zazTmdKylc0ZSgFLymJzV0gvuRsdHxwi6DWU8d5zFA1FjX3pS0MbH1Cxrvpt4ourMsvC0Ry+eJHCIAoRRRh3HeNFiW2I3sFYb5CdR66x78REzObCcb/dgJPbjN28IvMwxmEoMogZR602Wpv/tSj1te8wMbvA+OaWTkwqMAJEVt+M52EgGyRhTvMQcZu7FGsJv2KKviK1qOnz3ZXmMr9rYNRAF2dJniEFEYZq6jVFO+ls86xFr4YRQLbtqXyJ2K2I+4K2u4WIxTQFT762J1bw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR09MB2803.eurprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(346002)(376002)(136003)(366004)(396003)(8936002)(26005)(316002)(86362001)(64756008)(7696005)(66446008)(66556008)(66476007)(66946007)(55016002)(52536014)(71200400001)(9686003)(5660300002)(8676002)(186003)(83380400001)(76116006)(6506007)(19627235002)(2906002)(6666004)(478600001)(33656002)(6916009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: Sej7Hp0oF6m7tNWz+xeYXER3zwanBuagQDzReLk3P+czwAFQxrG+vx11Ip6UWrkS15iOYugbPyJY9r6kt48DyaIf7EYaATGSRCoaSEV76yo+kwipmXz/kHk7zTc7ian1c/EYHzRJXC49+lNDMeVkTH+6Bj8xbzCqvAFJLxFF+Csi3o4SxInHNYgtm4f5ykmhynSzD82fSrO5QLfmTkTSMFJMP9ayY0ItIC5D8TGXUxZjG67pqtJPmHWnH/PhL+Og3ZevR8qNq2QtFq7/bZ0DTBnhVHsKoK+Qd2AjD+02cBXPt5eQJ4GqihcJwQC/95T9JhVQERHpjObVyHhkDleS36JqVoehqqytwScBxr9NYbc1h3zgjdtyttlXT/L+XmS1iQII3RjGCj4M11hbYnzBvupSvCkr4zZ4CyhQazrpXjfnGoIbGziV0kvRhyjp9bZLj8pKaHKUwOijcZl1MQ4d8q8liIUvh9EWJIJ92DV5QGuCYBUULZi1ttB3jLY18zU4aRtB6bl6rCYPawSze2Pdyd+O+q8E+3OanzaBrPMMPXYt/g31u8ZGEWHvmIPspkYwHOe+8GJPJ0jTwUH4m6I5nP5oGzV8UBhKOK0TVRc9w0BGSFZIeI2KGx/XNuTiNY+qwdgNU0Oxn/xnG/NiXoTCEEtpNZj6iy9ZfO2Bu2kLe8LbPnSPJ/9D4SLmLztf2EcoBhYzGpsG1zLOmsmMVk6r+O/9+vrfAp4DnNa32weLn6ZrE8tnOeE12xUbP1dHFgccn0W1s4618+XOlQSdeDFfPaz8m+HiRYumi6xUaGxj0ww+dm7J5Z7x7npTUabAseto1YQwvwNRAuuLRWkA02zO3j9h7hFR4sOegqOLaWDza67RUyGrOc6lOZvTzOwrq+gBuogO+bIo9lkxxjKA4IQ1SRdyt8i2DYubTagzE4xsD5GNGYgQVoaCfUWsTB1g3d0bDlwzFOUqF/8yrMLdd/Jdh+eQ7qq0T+T+uJaIc6hereETEs6TqjUqWokPhnJiQ79o2mKK1PrxzJHj/M6hV108lfEHjEM+v+GMDK6eMm1zYSq9IOsa1Cdq8LbOeGCMq86AFXQuvyRePLi+D+RYdVwkdqUdApydZelWqOsx6hl1xCFMFGMEAedkkPd+2pXdbgQU65QceNy4HjhA1SZYTuzt5V2JqC40K91XgTsyW1xp7CcBgweKktBmZBRbReqrbQiCHCuQ79r7Et7Ym6UwgkUyUald2LYrccdrPPLd5qmXHBYNqi65gqzzMr7UVGF5wAyU2JXka0q0n2z3sBjlLjuGHJXfCnhEsgpDEXAcIwdusgcVaTksZbwvoy+NuLvJdfYG
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR09MB2803A357A8B7E19CEC415A52F36F9AM0PR09MB2803eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR09MB2803.eurprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a513c5b-2d41-4a4a-a818-08d8e5835248
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Mar 2021 18:19:05.5555 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72e15514-5be9-46a8-8b0b-af9b1b77b3b8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9PaChKV8h28Y0Jq4YGeyL4wSMUEhxgI4dsnd/KTYmYJEeUlqsX6BGvuWKB+NTtxB6JNbW8iubYEbu0PPvfr7sTgbUUXqQxgKo/yb38QS/wE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR09MB4148
X-OriginatorOrg: milesandmore.com
X-EXCLAIMER-MD-CONFIG: 5a548768-c397-4167-aef4-f33627bbf3ec
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3gpc3tbaIdRJ4YUdSlizpYJbkq4>
Subject: [OAUTH-WG] Authorization handover from mobile app to website
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 18:24:13 -0000

Hi all,

we have recently launched a mobile app that uses our website’s login and authorization code flow to authenticate and authorize user access (following RFC8252).

However, not all of our website features are natively ported to the app itself. Some are only available on the website in logged-in state. That’s why we implemented an authorization handover mechanism based on one-time login codes: This allows the app (in logged-in state) to open a web view and hand over authentication & authorization, effectively logging the user in on the website. This achieves a seamless experience for the user without compromising on security.

We came up with this mechanism after researching for prior practice, but we couldn’t find anything applicable for this scenario.

Hence, three questions to the list:
1. Did we miss anything in our research? Is there a common best practice available?
2. If the answer to 1. is “No”, would the working group appreciate an RFC draft describing the solution we came up with? (We’d be eager for comments to make it even more secure ☺ )
3. If the answer to 2. is “Yes”, can someone point me to documentation on the procedure, if such exist?

Thanks for your support and
best regards,
Dominik

Sitz der Gesellschaft / Corporate Headquarters: Miles & More GmbH, Frankfurt am Main, Registereintragung / Registration: Amtsgericht Frankfurt am Main HRB 116409
Geschaeftsfuehrung / Management Board: Sebastian Riedle, Dr. Oliver Schmitt

v2.23.0 | Report a Bug | By Email