[OAUTH-WG] OAuth assurance question on mobile devices and different flows

Dan Blum <dan@respectnetwork.net> Wed, 30 October 2013 16:24 UTC

Return-Path: <dan@respectnetwork.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E97411E8174 for <oauth@ietfa.amsl.com>; Wed, 30 Oct 2013 09:24:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.232
X-Spam-Level:
X-Spam-Status: No, score=-2.232 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yjAhCbUXrEiX for <oauth@ietfa.amsl.com>; Wed, 30 Oct 2013 09:24:27 -0700 (PDT)
Received: from mail-ie0-f172.google.com (mail-ie0-f172.google.com [209.85.223.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7751311E8253 for <oauth@ietf.org>; Wed, 30 Oct 2013 09:24:20 -0700 (PDT)
Received: by mail-ie0-f172.google.com with SMTP id tp5so2771997ieb.3 for <oauth@ietf.org>; Wed, 30 Oct 2013 09:24:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=6XfTfZs4TeRK52UnU6YHUzzmldPgnb0N6PY/RGE9GZw=; b=CurjudIxe8ip5tmAbY9St++/VruLuyEblDAxiANFGjq+PmMUP4gfLQZvDgwBiQ+//h e5BBraHnxa8EpO9MdgVaI9cVSRCsXArVMEmBZ89rW/Y85+HdOt6V36FL67C3bWpl6edW bdapA56Nm8CVWSFme8+8/wMRYkCq6IB3CgQ4tFbtdsjC834FKo8m2Dga6tR7GaSxU1M+ g0snB5AEy+jXl2WfA3sbwUIh6SBEflXNEOZf50Ulpi2+RCpyFKqi8mxyIsN08JKLje58 7YIelNbOJBZRx5/1b6IyAjw670c9OxXYAoFOqs71EVx2xp3cZieMzKx3thW+v7JdNeFH 2jpQ==
X-Gm-Message-State: ALoCoQlnXyUFxc34+c3RokMBZhwhgAqDwXFKSbekozfCPkOoIO/hqdoVEEpetkVkXTKb9QijcPwJ
MIME-Version: 1.0
X-Received: by 10.42.211.4 with SMTP id gm4mr825902icb.80.1383150259584; Wed, 30 Oct 2013 09:24:19 -0700 (PDT)
Received: by 10.64.226.131 with HTTP; Wed, 30 Oct 2013 09:24:19 -0700 (PDT)
X-Originating-IP: [108.45.69.60]
Date: Wed, 30 Oct 2013 12:24:19 -0400
Message-ID: <CACd9m-FbhY0iKDd-5Rdv=7eqiour2QTi77Nwv7GZ9N5hzR36Fg@mail.gmail.com>
From: Dan Blum <dan@respectnetwork.net>
To: oauth list <oauth@ietf.org>
Content-Type: multipart/alternative; boundary=20cf301cc53ee4d76504e9f7c316
Subject: [OAUTH-WG] OAuth assurance question on mobile devices and different flows
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2013 16:24:33 -0000

Hi,
I've enclosed some notes which were sent into the Internet Identity
Workshop (IIW) on an OAuth session at IIW last week with Dick Hardt. Much
of the session ended up deep-ending on OAuth/mobile assurance issue that I
address in the following blog post:

Managing OAuth Risks in Mobile
Applications<http://security-architect.blogspot.com/2013/10/managing-oauth-risks-in-mobile.html>


*Session Title: *OAuth - the good parts...Intro to OAuth by Dick Hardt



Note: this session was combined with the session OAuth 2.0 Assurance by Dan
Blum



Moderated by Dick Hardt and Dan Blum


*Summary:* Attendees of this session were primarily interested in sharing
observations on OAuth best practices. After some discussion, a debate arose
about best practices for securing the OAuth interaction with mobile
clients. This debate wasn't resolved.



*General Notes:*



OAuth is a framework, not a protocol



Many implementations still use OAuth 1, there was some discussion of this
but no strong reason or justification to continue focusing on OAuth 1 was
expressed at this meeting



How do you build an API that lets people run apps that register people on
the device, and what are the best practices?



Major social networks (e.g. salesforce) are giving developers samples that
are "like" what they are trying to do; are these best practices or just
historical artifacts?



*Secure OAuth use with mobile devices discussion / debate*
(see Managing OAuth Risks in Mobile
Applications<http://security-architect.blogspot.com/2013/10/managing-oauth-risks-in-mobile.html>
)

I'd appreciate your thoughts on the issues. Comments on the blog post, or
here, would be great.


Best regards,
Dam Blum