Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call for Adoption Finalized
William Denniss <wdenniss@google.com> Fri, 05 February 2016 19:01 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2643F1A8830 for <oauth@ietfa.amsl.com>; Fri, 5 Feb 2016 11:01:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id udt3kz-eDOct for <oauth@ietfa.amsl.com>; Fri, 5 Feb 2016 11:01:24 -0800 (PST)
Received: from mail-ob0-x22a.google.com (mail-ob0-x22a.google.com [IPv6:2607:f8b0:4003:c01::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E54D91A8837 for <oauth@ietf.org>; Fri, 5 Feb 2016 11:01:23 -0800 (PST)
Received: by mail-ob0-x22a.google.com with SMTP id ba1so96982048obb.3 for <oauth@ietf.org>; Fri, 05 Feb 2016 11:01:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=EtrxxxgNDRF5F0Ydj80YHB9R5T4ohnmgqnbyihw1IIw=; b=VeR1OUnIn3eUKBzE59Fp02HXGZXmxOaF8n5hZP6O1JiVBoZoL5dcdODXO14dFCldd+ wJn1//U0HaxIyCxe7/vUxwURiJ9+dT/5djtAOdG1me80H1xHiozDKEkN4ccKYrFmRhI3 kvhOPNtTQE4iOWzuAP68FzL+MhvTyk/QDE7spJy1TaJJTy/ItCqDEuOna0TVeYuZ7Kpu k+G+dvb9+rLVQod84hgfiuTUYTLsGIC91QKssDZXqZYySdSWP5f9AT6EtfrFGCGpMEYT IOndFnICnK6sxWSeZcYMFLJtUn4Wo0sZVGxRy6EEuOAnqxrK2fL4abqfm+/rHHRKZIL5 TYXA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=EtrxxxgNDRF5F0Ydj80YHB9R5T4ohnmgqnbyihw1IIw=; b=YpjU63rxp56HZFSBDYdnRE6Wcs29i+py8ULe1twdhgyehjW7PP95GeLMizlavXdhKF 6NRP0q2FDvVBRP56uVOjaZVuxx1m459TZoJr5cycxroJk+pYeC/6rbAaKSfT0iLEr1zd i51mgn0ZUqDtfHdhBF7R2EPcXGF3g5Q4E/UkqBRMumZg31jTCo6noKYgM8eRFlUMOlmX WlpsgordYrh2sXDacYnczfI15LlUiLGwKMtDahwAkymYWhJ0eQCTzVS8Q5xsAz64FjIH k8gNg0qEs5/pl91pwb15rTGX1IZPU+OzQEE0spn2yGT8s7a2CufXejFIAE6rZNT2JPUE oN3g==
X-Gm-Message-State: AG10YOQmNhZToNgfsBy2kNLBP4SR9Hu6AeWsRS5XjFkpa8JjSQ5LFF3t/CovdkBxeh8ffoz5pDSK4ixYavFb2FDL
X-Received: by 10.182.214.40 with SMTP id nx8mr14184408obc.20.1454698883098; Fri, 05 Feb 2016 11:01:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Fri, 5 Feb 2016 11:01:03 -0800 (PST)
In-Reply-To: <9DC45CB4-07D8-4F17-8311-02AD60521379@ve7jtb.com>
References: <56B3A400.2080606@gmx.net> <62D1E1DB-17A4-4ABD-81F3-8659F40D7E88@mit.edu> <CAOahYUxSMopc0hoXG8ocMk+p1b__NqapuztuHiWchpYRQqvP2w@mail.gmail.com> <9DC45CB4-07D8-4F17-8311-02AD60521379@ve7jtb.com>
From: William Denniss <wdenniss@google.com>
Date: Fri, 05 Feb 2016 11:01:03 -0800
Message-ID: <CAAP42hBnZMV51vcL2GQD6kbCS7aDC0pz0KP-nMsoT0j+EgkiGg@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary="e89a8ff1c01e2f00fd052b0a7aeb"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/8DJ0NdImTB_D3ewxIUhVy8XfCZA>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call for Adoption Finalized
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 19:01:31 -0000
Thank you everyone for your support, and adoption of this document! This spec doesn't modify the OAuth 2.0 protocol, rather it provides a set of technical guidelines for implementing OAuth 2.0 for native apps in a secure and usable way. The intent is a document that has the technical approval of this working group, and the IETF as a whole, as per RFC1818. Based on this, I believe "Best Current Practice" is indeed the correct designation for this document. For example, many implementations don't allow redirection URIs for non-"https" schemes, though RFC6749 doesn't have this restriction. Our BCP documents how to allow these schemes in redirect URIs safely for native apps. The advice is based on our experience supporting native clients in this way for several years. In X years, if the mobile landscape has changed, I suspect we might revise the document to point to the new best practices of the time. BCP-designation helps with this by giving us a stable reference for the practice of using standards-compliant OAuth with native apps. On Fri, Feb 5, 2016 at 8:13 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > The chairs approved this as a working group document. > > The initial version I posted is marked as an intended status as a "Best > Current Practice” > > The advantage of a BCP is that it can be updated to include new > information as things change. > > The spec has no extensions to OAuth 2 or MUST’s to profile it. > > Like the TLS BCP it provides implementation advice for developers to > safely use the “Standards Track” specifications. > > If that is the wrong intended Category it can be changed by the WG chairs > at any time. > > Thanks for supporting the document. I hope that we can expand it with > more specific advice for developers on native platforms > beyond just iOS and Android. However what we can do will depend on > people with experience in other platforms contributing. > > Regards > John B. > > > On Feb 5, 2016, at 12:10 PM, Adam Lewis <adam.lewis@motorolasolutions.com> > wrote: > > +1 that it should be Informational. > > Also, I never got to respond to the original request, but I am heavily in > favor of this draft. I talk with a lot of native app developers who are > clueless about how to implement OAuth. The core RFC is very web app > oriented. I look forward to having a more profiled RFC to point them to :-) > > adam > > On Thu, Feb 4, 2016 at 7:13 PM, Justin Richer <jricher@mit.edu> wrote: > >> I’d like to note that when Tony brought up it being Experimental on the >> list, several of us (myself included) pointed out that Informational is the >> correct designation for this specification. >> >> — Justin >> >> > On Feb 4, 2016, at 2:18 PM, Hannes Tschofenig < >> hannes.tschofenig@gmx.net> wrote: >> > >> > Hi all, >> > >> > On January 19th I posted a call for adoption of the OAuth 2.0 for Native >> > Apps specification, see >> > http://www.ietf.org/mail-archive/web/oauth/current/msg15400.html >> > >> > There was very positive feedback during the Yokohama IETF meeting to >> > work on this document in the OAuth working group. More than 10 persons >> > responded positively to the call on the mailing list as well. >> > >> > Several persons provided additional input for content changes during the >> > call and here are the relevant links: >> > http://www.ietf.org/mail-archive/web/oauth/current/msg15434.html >> > http://www.ietf.org/mail-archive/web/oauth/current/msg15435.html >> > http://www.ietf.org/mail-archive/web/oauth/current/msg15438.html >> > >> > Tony also noted that this document should become an Experimental RFC >> > rather than a Standards Track RFC. The chairs will consult with the >> > Security Area directors on this issue. >> > >> > To conclude, based on the call <draft-wdenniss-oauth-native-apps> will >> > become the starting point for work in OAuth. Please submit the document >> > as draft-ietf-oauth-native-apps-00.txt. >> > >> > Ciao >> > Hannes & Derek >> > >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org >> > https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > >
- [OAUTH-WG] OAuth 2.0 for Native Apps: Call for Ad… Hannes Tschofenig
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… Justin Richer
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… Adam Lewis
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… George Fletcher
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… John Bradley
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… William Denniss
- [OAUTH-WG] Missing response_type with implicit an… Sergey Beryozkin
- Re: [OAUTH-WG] Missing response_type with implici… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Missing response_type with implici… Sergey Beryozkin
- Re: [OAUTH-WG] Missing response_type with implici… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Missing response_type with implici… Sergey Beryozkin
- Re: [OAUTH-WG] Missing response_type with implici… John Bradley
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… Eduardo Gueiros
- Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call fo… Thomas Broyer