Re: [OAUTH-WG] popular apps that use appauth?
David Waite <david@alkaline-solutions.com> Mon, 25 February 2019 00:59 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6FD7D12DD85 for <oauth@ietfa.amsl.com>; Sun, 24 Feb 2019 16:59:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h6DAA8_Z0x5H for <oauth@ietfa.amsl.com>; Sun, 24 Feb 2019 16:59:38 -0800 (PST)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id 9A93F128CF3 for <oauth@ietf.org>; Sun, 24 Feb 2019 16:59:38 -0800 (PST)
Received: from [IPv6:2601:282:202:b210:ad62:fd44:8359:5a36] (unknown [IPv6:2601:282:202:b210:ad62:fd44:8359:5a36]) by alkaline-solutions.com (Postfix) with ESMTPSA id F2E17315EC; Mon, 25 Feb 2019 00:59:37 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <CAAP42hCO4m=tmj3omgg+EH2CguF_OVocUzbSwnWRnyb2MQZYVQ@mail.gmail.com>
Date: Sun, 24 Feb 2019 17:59:37 -0700
Cc: Brock Allen <brockallen@gmail.com>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <CCD4D46C-E6EC-4FD2-871B-C969756F9552@alkaline-solutions.com>
References: <67bf27b0-e7d6-4710-ba6e-f46809d60d77@getmailbird.com> <CAO7Ng+v7vCy_cnm00YryN11P5JZngm5R51pBJ5+rQYBF43yz1A@mail.gmail.com> <5dda37c0-e3c5-5e64-347b-25d561072232@ve7jtb.com> <c6f71d94-12f4-4f99-b373-c9f815325da1@getmailbird.com> <CAAP42hCO4m=tmj3omgg+EH2CguF_OVocUzbSwnWRnyb2MQZYVQ@mail.gmail.com>
To: William Denniss <wdenniss=40google.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3445.104.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/7l-DPoDBw_xNED2m3lKyy97Eszw>
Subject: Re: [OAUTH-WG] popular apps that use appauth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 00:59:40 -0000
> On Feb 24, 2019, at 10:43 AM, William Denniss <wdenniss=40google.com@dmarc.ietf.org> wrote: > > For 1P sign-in, there are several good reasons to go with ASWebAuthenticationSession, like syncing the signed-in session with Safari and using it if it already exists. With enterprise 3P, you’ll have to use some web agent for authentication pretty much no matter what, and you’ll almost certainly get pressure to use ASWebAuthenticationSession, and/or potentially lose deals to competitors during product evaluations. It is simply what is required for robust integration into a corporate infrastructure. For 1P on iOS, it depends on the complexity of authentication for first party. If you are just doing password and maybe SMS-based challenges, there is decent enough native app integration for password sharing and SMS keyboard for that to keep conversions high, even with having to authenticate twice. However, if you want to authenticate the device (even pseudonymously with session cookies) or do other factors, the authentication is simpler with ASWebAuthenticationSession. Which means your life will be easier if you have more complex authentication requirements anywhere on your roadmap to just start off using ASWebAuthenticationSession. It is likely that future authentication technologies like WebAuthn will not work with an embedded web view. The ability to arbitrarily inject javascript means that apps can phish webauthn responses for domains via embedded web views. -DW
- [OAUTH-WG] popular apps that use appauth? Brock Allen
- Re: [OAUTH-WG] popular apps that use appauth? Dominick Baier
- Re: [OAUTH-WG] popular apps that use appauth? David Waite
- Re: [OAUTH-WG] popular apps that use appauth? John Bradley
- Re: [OAUTH-WG] popular apps that use appauth? Brock Allen
- Re: [OAUTH-WG] popular apps that use appauth? William Denniss
- Re: [OAUTH-WG] popular apps that use appauth? David Waite
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? John Bradley
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? Dominick Baier
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? John Bradley
- Re: [OAUTH-WG] popular apps that use appauth? David Waite