[OAUTH-WG] Re: Call for adoption - First Party Apps

Aaron Parecki <aaron@parecki.com> Wed, 04 September 2024 16:09 UTC

Return-Path: <aaron@parecki.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E65F5C169430 for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 09:09:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=parecki.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lV1R8V8hBS_6 for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 09:09:33 -0700 (PDT)
Received: from mail-ot1-x335.google.com (mail-ot1-x335.google.com [IPv6:2607:f8b0:4864:20::335]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 445C3C16942E for <oauth@ietf.org>; Wed, 4 Sep 2024 09:09:33 -0700 (PDT)
Received: by mail-ot1-x335.google.com with SMTP id 46e09a7af769-709340f1cb1so2122065a34.3 for <oauth@ietf.org>; Wed, 04 Sep 2024 09:09:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=parecki.com; s=google; t=1725466172; x=1726070972; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XvN0loSen9kJlU8yMbDytjojOWlECv+ROddh4AjKvO0=; b=VU6xqvGrXhhNAyf9SO/JL6HkAWCuZuoDBZ/tbDAnLOWTXBKMFpXSy0lads9szD4Kyk VIDbnMvijnw7k4G7kSNs9gEavr1EgvCk9boVD10gGHwHQTi8hkzYVWAloBMqc3JhDdf5 5yudXirHVfKeqt3U4792HH6CiWYWfyZAFrx7YBMKPF3Qorr5KAG5BzQ6z4iKORXURkY7 kZlgYXr9WaH70IuTOcrqxeuod5h7h1Ox2WlDDYfmRYCM9dr0h0exXcpyvAjTeB1Yxc2C hlS4xJETIqA42Sp/IME0lwuy2o2bvMTeDoDzl3EqbCsDctrJcyuDUhPuhM1mkrcUfBq7 KLWw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725466172; x=1726070972; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=XvN0loSen9kJlU8yMbDytjojOWlECv+ROddh4AjKvO0=; b=JlGr/LY9Mu1iAQueK8Th0DFsY4JPmRVb2kb4CPeOrfWud09jnk0PwL+hZB+1B4l+bx tXJPOu71NwQfRkcO7foxK+10V7x74AGM2ajsPzhcidpt96mfkW2qXDchoQC//8GPXESO mxl6W095iM/e/BSuQS47MNj1ISpP8WStXIaecxGJd2/eavIyaFc4tggVNiM3sYVyFqt3 mR0q5c6/a+OxHzPvhZ1/bebxtVPxsYC5Bqx0oGd6ZK54aOlWAX6YJIZcSC+iQ9XXB/iE TUfj9J8u6AWDWjXKfGuo7AUF4hmz5LHBo22rM0JfCHjxsYkO+ZIT8RC5B5CjiaNq34Us 7CZg==
X-Forwarded-Encrypted: i=1; AJvYcCWxRsMEYMLox0RLuG8L1xo+z9cX/h/hq+ZNN2LXqad8zmILEITqiXiJZ494cNwzQ1Xq6cyobQ==@ietf.org
X-Gm-Message-State: AOJu0YyTBfrfuPjwTK86CSoJhMpgI1cueve7YX1mXk0od/uoku21jg2m FkQz8hRXZfT3r8R4ZqByiolJJX52um1TkEn/PXhp9Fv1rvT15AItN51VrG6SaoOzgrp1FK5zn7E =
X-Google-Smtp-Source: AGHT+IGpoODmc/9zZbZs+xa/yEx0sUZ6GhgiDkmCNOkCM8ohkTPn4ERqvE64TLtgF01VFRkvNcuRrw==
X-Received: by 2002:a05:6830:2115:b0:703:6477:460a with SMTP id 46e09a7af769-70f7074603emr16017238a34.29.1725466171728; Wed, 04 Sep 2024 09:09:31 -0700 (PDT)
Received: from mail-oi1-f180.google.com (mail-oi1-f180.google.com. [209.85.167.180]) by smtp.gmail.com with ESMTPSA id 006d021491bc7-5dfa04bda37sm2385436eaf.21.2024.09.04.09.09.31 for <oauth@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Sep 2024 09:09:31 -0700 (PDT)
Received: by mail-oi1-f180.google.com with SMTP id 5614622812f47-3df13906bcdso3240421b6e.0 for <oauth@ietf.org>; Wed, 04 Sep 2024 09:09:31 -0700 (PDT)
X-Forwarded-Encrypted: i=1; AJvYcCXjmKDUSLjCI/C3BMMfaflNwn8mk132L7LouebWeVLOmAAMD6KLqQ48UjXGRSoWaxM4Zee+rw==@ietf.org
X-Received: by 2002:a05:6808:308b:b0:3dc:1b09:55c9 with SMTP id 5614622812f47-3df1b724699mr17490106b6e.12.1725466170932; Wed, 04 Sep 2024 09:09:30 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9ZHktRzztqCxGfHPOq5A5xo2GohFZms41ZjoTKjkcjkg@mail.gmail.com> <33048643-AAAC-4466-B875-72566EBEA7AF@gmail.com>
In-Reply-To: <33048643-AAAC-4466-B875-72566EBEA7AF@gmail.com>
From: Aaron Parecki <aaron@parecki.com>
Date: Wed, 04 Sep 2024 09:09:19 -0700
X-Gmail-Original-Message-ID: <CAGBSGjoWzmaZ-jWS-VY6h3R7OZkUVMYkGomyM9Yt9UYwuBB2cA@mail.gmail.com>
Message-ID: <CAGBSGjoWzmaZ-jWS-VY6h3R7OZkUVMYkGomyM9Yt9UYwuBB2cA@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000030cebc06214d6614"
Message-ID-Hash: XXP5RQJENU3PPKM3MQ4NZI2YIWMTFCNJ
X-Message-ID-Hash: XXP5RQJENU3PPKM3MQ4NZI2YIWMTFCNJ
X-MailFrom: aaron@parecki.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5mKcfXk1KX2akJC0cQCLMx-776o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

A native UI does not rule out WebAuthn/FIDO, in fact we have an in-progress
branch of the draft that shows how you could support passkeys with this
spec: https://github.com/aaronpk/oauth-first-party-apps/pull/93

While there isn't an RFC for authenticating first-party apps, there is
plenty of precedent for doing so already using the Apple and Android APIs.
There is an adopted in-progress draft that could standardize this as well:
https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/

Aaron

On Wed, Sep 4, 2024 at 7:37 AM Neil Madden <neil.e.madden@gmail.com> wrote:

> I am a bit skeptical about this one. I’m not convinced we should be
> recommending native UI until/unless we have a really good story around
> authenticating first-party apps. Without such a story, I don’t think this
> should be adopted. Unless I’m mistaken, a native UI also rules out
> WebAuthn/FIDO-based authenticators? We should not be adopting drafts that
> increase phishing risks for the sake of aesthetics.
>
> — Neil
>
> On 3 Sep 2024, at 11:46, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
> wrote:
>
> All,
>
> As per the discussion in Vancouver, this is a call for adoption for the
> First Party Apps draft:
> https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/
>
> Please, reply on the mailing list and let us know if you are in favor or
> against adopting this draft as WG document, by *Sep 17th*.
>
> Regards,
>  Rifaat & Hannes
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>