Re: [OAUTH-WG] Android App Links (AKA Universal Links)

George Fletcher <gffletch@aol.com> Tue, 03 November 2020 22:12 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B0A53A1245 for <oauth@ietfa.amsl.com>; Tue, 3 Nov 2020 14:12:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.345
X-Spam-Level:
X-Spam-Status: No, score=-2.345 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.247, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGIm3ESpj2jm for <oauth@ietfa.amsl.com>; Tue, 3 Nov 2020 14:12:15 -0800 (PST)
Received: from sonic311-24.consmr.mail.ne1.yahoo.com (sonic311-24.consmr.mail.ne1.yahoo.com [66.163.188.205]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD47F3A1243 for <oauth@ietf.org>; Tue, 3 Nov 2020 14:12:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1604441534; bh=YMZ9iJWzIqMweQrAkgmoOp7kEgylPA1usdG7CBQ2vKA=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=gIrRjbp5dzyX5mILLm4ikVW1NGcNw5buyDNrriSNBZOPjIWggcP6uIgtsBoTMiXFG5JOtyMtSLVOiMB7FrOhoYTXj66gGj/43Rr5mwMbWPGVLaamrunhkHQ2KkpU6r8LQ/j+I6panm2b2aYXnMcKKyNSbUcc2kbk7ON2fW1Jcq1NjjDh8oDiRCLxzm9SMvz8ReDU/20udjoGRM7kmq8x0VkSKyjW0nyQGfe89P7Pg6jima2TJQImoJwDCJmXMAmjQUHD68yVrZIHIDkhrBH/zeK89g6yuoiBW8JQEAXrWTKwoyKaxFFRacgKTPqMiCirTldR6sj1mSmv2EC3E7YlVQ==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1604441534; bh=4NQmLvQremcOeEEO3zrPYAWYffmT8eAIGpcKz5rE1ZO=; h=Subject:To:From:Date; b=PHwOP8N7+529kmBQwFb/lsYxbEvZvP2oKmLN/7x+DhX/FP+YOsoq8GHb/tbYE+VBn0zAcGVoMLV0uDP0fwfpalnhe6RWrntNkFsppGP/mriOzR3cuHB0ugOPpkcvGMYdh2sEda4sFIRie7CF3kttD6AwWIKxzap7ehEO3yFqKon0PQqM8kDl0e207KEUEfbI4pQS3UpIUyPDJeh0JE8EvIrNyisKgoP+ayS2D/Yv1NyXUJSbL5b8LyTwBbZJWs1nOPLgJtuferwW09CilvmJWaHv0EdEasocaXXsFdEmHE2bYHMLPE34vyrdbxitKmSMFmn4hht02eErtDO48csC7A==
X-YMail-OSG: 4COef60VM1mEDHCpet3Kd0TKeDyuGO1OrsAiCDvmsODENTyHeoSgyTmO40Tsu2K QtHVLSjqdefcoiSGXFGvAFujQDQrPh1DzlmlF2bL1qWbAWh5j2qWtFdCqUktX1QyS3v_DHA4tmiZ _CqnaZkGgKk0FSaUjfxCUxGZFwTEgE9CEC0vRm6WDGdK9HS6wzBspIV3Y51PpKP6F7yDIbVSoG0C G5cjfaHbm3JpIpRTMbYVcqLMqwcZp3pBvT_iuh9DITyqzcPVFKjaPFRKLC.4SIuHHqKFo9RZTtUB aSVMIKCo_FucID8G_HPIHo5nwo8pYP2iGKfpVOeuo.TJM5DGvtoFeUXGpZvrFarint_RJYYq2i.I Hj0On6SuuFhWXVEfBj1wdrDvTyzX5sotr.IXgcTN1gKob1EsyhmgS2SWoGkVbe.DcrlD1JyCqVtT G5RaAGDlBWzDRVLSJRTGcADYqmxeKj4u2uxsKQbYALKjyTULOR.R_b7GS39o_zbe6o_AORfLSUQq IofD5wI0DoEPDoOBDFAkEx1nboVeahmoSzSd8fKNw2OidO451iPLzSPsXq9kXAKyh_81wWWif11y g8szPZIt1Pif64Q2UU18GoF_5r_hbvYXznEfyuiOKGd9yb0efGdrhBwXay7UHCSmv6X2O.SAKYCG xMGjbb9hR1HSaDEra96SPESRN2CQYWegWttg1XJET6ON6JnycNuutNAwR3E_UoGeCerkzcs_UeDN 3.6C4QLgygD_LjUbIpHcT5j4UAImpx4qCpEeochYS01CNag9E3Gf_yarzfDR8RC2yumw1vHKQjMW P4SQJdxS1leDfuGlwLsBT1RZ3czkr_uSoR8XVI8G2Kos_QPzeHowoPijwFF476vdDMPDqFbvIV_D 2IDpBCpmGoWf5eOcMKlimlKKvp0mdQZNOhj_rCfykx2w7jC5uWsf1ajdTA5HevbsW286tO9_JBZR CC64KsrFSlDxD4PHzOv9Mq3x3ONgaA1IglaMAMdkhAtTF_T8YxJEubX8NyMIOnzRAeRDpSg4e0tR 6YkP9dZywuwFpWqDfhpLyOt2Mq3luDvbzcgROsvtvnDCcl9Nt_3qFw9CGmp.H1Y26SN92c1fwP.E 75u_jTuKrZmXnqzlxM7OAC34u_mEkBdxpjBSqzDK5axuGwwZYaK5Q5mqMCe6gRfXlF5buqcAXBXA NZMGT1AjMg7jCJbdyhfcclzd32gcZSBJ5N8z4FInnPtxQfvaIggtI5CLzAyBS8Wmpmd8GwinlcHw NckkO94iZSAV7rrEXkVga3GcSAKWI_GAtymVFBnWfvHImrLFz2KEE7ACosr8.O0Je9c6KT7g5hLi 90sF47Kn9ewkFsNbXVbQKpKUDEH1Vz5KPQp9WghCV13LkHx.vbQqS6u5ILHszKvXYUF5ljhiEH2w klH6_OF_7hVkRIxmEscgQSZUA.q8O5bYXHLpW42qC9oRB29kXSlfHejKa4VA8fobiFzPmL_YW7wD pNCYLv9AlXAkksgSxPBYtYWE9xRtvCxKM65UKI5B6A47h_8LuRu.F7LPewoHjdtXnmKkUciWHVpZ BzY7dQBK4i9LG4.1NqfOBqoDGvSz00HoIRmi9NySV4OAVeXHKCCAtDuEjwU_mZZyjlSvLhrw.Qnp FZKEaEdbZ1_vYUmXq2gaFuSe1COH5_iYwMIJ.VCdxK8qepwiDi2SpDynfzNMZOIq8.qDlIEg8aWI K5DOF7g9wyPR.DJt.w4aaRelaZ1S87prMLWfHmImkj.LPyvBkNnimnJplmyLOfDnulPQKKkaHaQ4 LjXiS.FVWRVgn0VJ3yDGpZvltIhLAWeYxJb563o_R9SSaUORPKODth3e5FCSnUa7fU.UZwfbheGR uBKE_F.kWGItCUzswTQqQy4QFFfHH.yL2_FYU5coH9Mi01GAUJif6Qyj2wN9FwRdJIOh88s4hQsS b6izLx3b.Zqxh.l3id..Zl_9ZFetbYAiEfFnpherMWxPXow4eW4mXZTTOuWOK2fZKOuVMqr_bwqv eTV2CUZeuDqX2WaQW4UF_MwCr67Bfor5OZJDbJxruEakP7GvKh.8LICgilLa75JeqAM.X09IHat5 YhWdd1CidZ0X5ban6hIzUwdeRO5L9eU4g134Z.aEP3ZI.LdsdaRO..ifYoMFJSSs4mjyPOsLUJMd zqM_xLZXw6QvRwgnEqN2Ken54VFBeKLJQt2wsIL03nsZmymhpCL.Cczbpc4tQjNIGxbjqbyFCu1y mTw4WVDHohhXgADZDw8WQllmS8qqXTxoCExdiJdJPbA0tF3OkkiAdguCX8Oajcgaeegykaz4lsc5 4aX77Y9x_FjT.p4fWi1fHcsjltKcZjAO4d2l_lQ7JyBc52D1eN32S5p5HTE1RLmCt8KIAuw.c.Hw 2y2IWOeRoYu.L0wtE1IW25vbovB9Q86bBTPW3IW.el5oGNkTR0eJ_P5Z7EbfoKwsZ0yn4g5wA_LC dsJ_oaGr2wm01KuxNkfORm8mO_Dlia8I3E.6_lE0QROpiCDFx2A2c1759CO2oyFpiK.4U21xIH8R CrbRfosB2K8Bl6se6I_QFds8i1AGdsYoqoGT.HSWeuv7c5gVFE0aC.Mu7qCQRUnnpP_k2H1CoiEQ pvj3n
Received: from sonic.gate.mail.ne1.yahoo.com by sonic311.consmr.mail.ne1.yahoo.com with HTTP; Tue, 3 Nov 2020 22:12:14 +0000
Received: by smtp403.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 35702428fa64ed2895eb7118d8a6fc5b; Tue, 03 Nov 2020 22:12:10 +0000 (UTC)
To: Dick Hardt <dick.hardt@gmail.com>, Joseph Heenan <joseph@authlete.com>
Cc: oauth <oauth@ietf.org>
References: <CAD9ie-tixMTAbPOtzPUjZdM7oa6_Rw2Gfbup2NQHUHJMu9LBTg@mail.gmail.com> <65B3EF09-25F4-4F3E-96DD-05FA60F044D0@authlete.com> <CAD9ie-vFguzxNzgZKae2Qjq_POrEVyznLXyKmg6MyG+xV4LfVA@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <49d1a3ce-619e-abe7-5c4f-7c2fec8c8889@aol.com>
Date: Tue, 3 Nov 2020 17:12:08 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.1
MIME-Version: 1.0
In-Reply-To: <CAD9ie-vFguzxNzgZKae2Qjq_POrEVyznLXyKmg6MyG+xV4LfVA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------CAFF1A199B99CAF066810B61"
Content-Language: en-US
X-Mailer: WebService/1.1.16944 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4kSA49G49OH_wgWIWDEud9mPoxw>
Subject: Re: [OAUTH-WG] Android App Links (AKA Universal Links)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 22:12:17 -0000

I sent in some notes but I don't have a link for the recording. I don't 
believe the recordings were being kept much past the end of the 
conference. I'm pretty sure I heard that the recordings would be removed 
after N days (I don't remember what N was stated as:)

Joseph explanation is better than I could have given and matches my 
understanding as well.

Thanks,
George

On 11/3/20 2:13 PM, Dick Hardt wrote:
> Thanks Joseph.
>
> George Fletcher ran a great session on the topic at the last IIW as well.
>
> George: do you have a link?
>
> ᐧ
>
> On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan <joseph@authlete.com> wrote:
>
>> Hi Dick
>>
>> I didn’t attend the call so don’t know the background of this and the
>> exact situation, but the general problem is mostly where the Authorization
>> Server’s app is *not* installed. In that case Android falls back to much
>> weaker mechanisms that allow other apps to get a look in. App links also
>> aren’t consistently supported across all commonly used android browsers
>> which causes further problems.
>>
>> In general to do app2app oauth redirections securely on Android it’s
>> necessary for both apps to fetch the /.well-known/assetlinks.json for the
>> url they want to redirect to, and verify that the intent the app intends to
>> launch to handle the url is signed using the expected certificate. Web2app
>> flows are trickier, on both iOS and on Android. There were lengthy
>> discussions on at least the Android case at OAuth Security Workshop this
>> year (recordings available).
>>
>> Joseph
>>
>>
>> On 20 Oct 2020, at 00:09, Dick Hardt <dick.hardt@gmail.com> wrote:
>>
>> Hey Vittorio
>>
>> (cc'ing OAuth list as this was brought up in the office hours today)
>>
>> https://developer.android.com/training/app-links
>>
>> An app is the default handler and the developer has verified ownership of
>> the HTTPS URL. While a user can override the app being the default handler
>> in the system settings -- I don't see how a malicious app can be the
>> default setting.
>>
>> What am I missing?
>>
>> /Dick
>> ᐧ
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>