Re: [OAUTH-WG] popular apps that use appauth?
John Bradley <ve7jtb@ve7jtb.com> Mon, 25 February 2019 13:29 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F3CC130EFC for <oauth@ietfa.amsl.com>; Mon, 25 Feb 2019 05:29:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qIW5EYqQnuxX for <oauth@ietfa.amsl.com>; Mon, 25 Feb 2019 05:29:08 -0800 (PST)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A869128CB7 for <oauth@ietf.org>; Mon, 25 Feb 2019 05:29:07 -0800 (PST)
Received: by mail-wr1-x431.google.com with SMTP id i16so9898698wrs.13 for <oauth@ietf.org>; Mon, 25 Feb 2019 05:29:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Xwfq9k6t8XN09k0xi+PwMu7RefPgDtE4WlE9PT/9rNI=; b=fv2rWnLrzgkZabP0eTjYgvjCQp/AOHe5u094K8pQFwKigZMrTSmoQ21uupvTbiNFzH WXMJfcygpXraictnSXMvc7MJ1miScYzgSVMUpBJTJ34CSia3ooFwnG9b2ivYzVe77P9t NcRtBqWYQwjeYsvEEYMNX0mt0eq5vjZsfAAegfzTPLGcWaGTiAJAJCVdDhyS96+wMlWF v+RnUpZJXXWP+TWN7nMsJZ2cSbOyPVX3IDEd9YbmaFEIicUzQl8qnu6CUeR2LkvRy1Dt i1bBpXMqCT9XY6UKX0T+Xpq7MsqB2i1x9PT34gBkfme7Ki6mZxrIQfCNpbAVo2w9oWdV Un2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Xwfq9k6t8XN09k0xi+PwMu7RefPgDtE4WlE9PT/9rNI=; b=fGVdST3uhE2Xr1ucVZsOr3r0qUiJp2OAooR6cIOSFJXDE4RVmCuP2XA0qeI+jtqg8u ifo9iYqgPrO07vQ7XKJQ73YJQf1tWW/Voly53xkNviwrFKUpfHkwfy09yhfVnDtXqj08 8OC42iQ+IWQtHS9xfy5s8xcX66Nkgv5q2XSc1PD3ra+n3kqSnVI5FDgcMmyiNLyiR44U 5uJs53DUALmIRu+bMYJ/qOa9BVINb9oRejpqFpgbQSOW9RpCsLMb0jiJKHqKLO8V7y4V VvIKsb32yQ/m3MfI3kb5aLXYlbcQM70MYFnNXPpcW6BEC9geQDvAW0Qw1nb47vMsueAm HLRQ==
X-Gm-Message-State: AHQUAuaykexS4zrCIA9PRqECM/FJlnfb0Yw2jVY0f8T7mX2I15ZGKOG2 tZ084ewTc2TRA2bAWR68itAsIfmY/5RxutZsF9rDtA==
X-Google-Smtp-Source: AHgI3IaLZPQNYqLiCTncwJrsaYn8fIlBPFYLI+vjhdsYaLAvz0VgAUOJgJpzfYySzZsd6J1kFLBRUi9Us4NY52pMju4=
X-Received: by 2002:adf:e8c7:: with SMTP id k7mr12952757wrn.298.1551101345823; Mon, 25 Feb 2019 05:29:05 -0800 (PST)
MIME-Version: 1.0
References: <67bf27b0-e7d6-4710-ba6e-f46809d60d77@getmailbird.com> <CAO7Ng+v7vCy_cnm00YryN11P5JZngm5R51pBJ5+rQYBF43yz1A@mail.gmail.com> <5dda37c0-e3c5-5e64-347b-25d561072232@ve7jtb.com> <c6f71d94-12f4-4f99-b373-c9f815325da1@getmailbird.com> <CAAP42hCO4m=tmj3omgg+EH2CguF_OVocUzbSwnWRnyb2MQZYVQ@mail.gmail.com> <CCD4D46C-E6EC-4FD2-871B-C969756F9552@alkaline-solutions.com> <CAO_FVe4Aj16zoqg7L+W=cagKY0S5egf8byaHcXTSFM9tnau5iw@mail.gmail.com> <CAANoGh+2b8HF_KCN9Qda8mADOjuCLu2QqhEwu=epu-4shLRzKw@mail.gmail.com> <CAO_FVe5Rohpt632gL_3bsn3DDxZL0BEp97B9GaAkUGs34iOZBA@mail.gmail.com>
In-Reply-To: <CAO_FVe5Rohpt632gL_3bsn3DDxZL0BEp97B9GaAkUGs34iOZBA@mail.gmail.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Mon, 25 Feb 2019 10:28:53 -0300
Message-ID: <CAANoGhLUi3+CDg9qqGqOZMMH5o3Wuyvs+Mwc=VaUDjDkOPqw_g@mail.gmail.com>
To: Vittorio Bertocci <Vittorio@auth0.com>
Cc: David Waite <david@alkaline-solutions.com>, William Denniss <wdenniss@google.com>, IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ba92340582b7ecde"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5hWPzg_TTutCLSMxGGLMWk6qtnw>
Subject: Re: [OAUTH-WG] popular apps that use appauth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 13:29:12 -0000
Win 10 2019H1 has a WebAuthn API for third party apps. Chrome and Fire Fox are now using it. Trusted browsers have some whitelisting involved. Other apps will be able to use the API eventually. There are some issues around the RPID for apps and websites that may make the authentication broker simpler. Android has a API but it requires whitelisting and really only talks to the platform authenticator at the moment. So for the moment AppAuth is the best option for WebAuthn. John B. On Mon, Feb 25, 2019, 8:38 AM Vittorio Bertocci <Vittorio@auth0.com> wrote: > True, the WAB is perhaps the best approximation of a desktop system > browser-like feature, but it doesn't solve Mac or Linux. Even within the > Windows world, Win10 usage pulled ahead of Win7 only in January, and > barely- and the WAB isn't available on Win7. > In fact, you bring up an excellent point. I am wondering if the OS vendors > are making any plans to make WebauthN available to desktop apps beyond 1st > party applications. > > Regadless of what the future might look like, the problems I listed above > are concrete blockers for the adption of that pattern on that desktop. I am > wondering if those issues should be explicitly acknowledged in the best > practices document, so that developers running into them realize they are > now issues and not something they are doing wrong. > > On Mon, Feb 25, 2019 at 3:21 AM John Bradley <ve7jtb@ve7jtb.com> wrote: > >> On Windows Web Authentication broker is a option. >> >> >> https://docs.microsoft.com/en-us/uwp/api/Windows.Security.Authentication.Web >> >> I have encouraged Apple to provide a SSO service on OSX. >> >> The availability of WebAuthn in browsers may make the platforms rethink >> some things. >> >> John B. >> >> >> On Mon, Feb 25, 2019, 7:48 AM Vittorio Bertocci <Vittorio= >> 40auth0.com@dmarc.ietf.org> wrote: >> >>> Ahh, as John knows this is a big pet peeve for me :) >>> >>> Although that's all true on mobile, on desktop things are more >>> complicated. >>> >>> - Using a system browser on the desktop (Linux/Mac/Windows) means >>> that you don't control the experience (there might be modal dialogs >>> occluding the browser or any other Z order windows factors; the browser >>> instance might have already other tabs open; the default browser of any >>> particular machine can be different; users might need to take steps to get >>> back to the app; etc) >>> - Use of loopback adapters is banned by many big enterprises on >>> their machines >>> - The big security advantages of the approach on mobile, where apps >>> are all nicely sandboxed, is not as pronounced in an environment where the >>> user login session in the machine is the main security boundary (think >>> keylogger attaching to the main windows events pump, or a debugger - all >>> stuff not possible on mobile but viable on desktops) >>> >>> True, it would be fantastic if desktop OSes would offer system browser >>> features comparable to what's available on iOS and Android - but today that >>> doesn't appear to be the case. And the inability to leverage existing >>> sessions when using embedded views on the desktop is a true pain. But >>> judging from the behavior of the most popular desktop apps in market >>> (Office, Slack, Adobe Reader, Visual Studio, even the Google Drive app for >>> Mac...) losing the ability to access cookies is less of a nuisance for >>> users than all of the above. And considering that desktop machines usually >>> have their own way of identifying devices, that is also not much of a >>> factor for desktop apps. >>> >>> The best practice has been discussed for the last 4 years and still all >>> of the big apps above remain on embedded: it is however telling that the >>> mobile apps from the same vendors all embraced the system browser approach. >>> Since the native best practices came out, I have been working with >>> desktop developers dealing with this cognitive dissonance of the best >>> practice saying something that is very hard to put in practice. I >>> understand that it is well intentioned and it is easier to give one single >>> advice for both mobile and desktop, but while the necessary features and >>> experiences are lacking on the desktop I am not sure how much of a >>> difference it is making in that use case. >>> >>> >>> >>> On Mon, Feb 25, 2019 at 12:59 AM David Waite < >>> david@alkaline-solutions.com> wrote: >>> >>>> >>>> > On Feb 24, 2019, at 10:43 AM, William Denniss <wdenniss= >>>> 40google.com@dmarc.ietf.org> wrote: >>>> > >>>> > For 1P sign-in, there are several good reasons to go with >>>> ASWebAuthenticationSession, like syncing the signed-in session with Safari >>>> and using it if it already exists. >>>> >>>> With enterprise 3P, you’ll have to use some web agent for >>>> authentication pretty much no matter what, and you’ll almost certainly get >>>> pressure to use ASWebAuthenticationSession, and/or potentially lose deals >>>> to competitors during product evaluations. It is simply what is required >>>> for robust integration into a corporate infrastructure. >>>> >>>> For 1P on iOS, it depends on the complexity of authentication for first >>>> party. If you are just doing password and maybe SMS-based challenges, there >>>> is decent enough native app integration for password sharing and SMS >>>> keyboard for that to keep conversions high, even with having to >>>> authenticate twice. >>>> >>>> However, if you want to authenticate the device (even pseudonymously >>>> with session cookies) or do other factors, the authentication is simpler >>>> with ASWebAuthenticationSession. Which means your life will be easier if >>>> you have more complex authentication requirements anywhere on your roadmap >>>> to just start off using ASWebAuthenticationSession. >>>> >>>> It is likely that future authentication technologies like WebAuthn will >>>> not work with an embedded web view. The ability to arbitrarily inject >>>> javascript means that apps can phish webauthn responses for domains via >>>> embedded web views. >>>> >>>> -DW >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>
- [OAUTH-WG] popular apps that use appauth? Brock Allen
- Re: [OAUTH-WG] popular apps that use appauth? Dominick Baier
- Re: [OAUTH-WG] popular apps that use appauth? David Waite
- Re: [OAUTH-WG] popular apps that use appauth? John Bradley
- Re: [OAUTH-WG] popular apps that use appauth? Brock Allen
- Re: [OAUTH-WG] popular apps that use appauth? William Denniss
- Re: [OAUTH-WG] popular apps that use appauth? David Waite
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? John Bradley
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? Dominick Baier
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? John Bradley
- Re: [OAUTH-WG] popular apps that use appauth? David Waite