[OAUTH-WG] Re: Call for adoption - First Party Apps

Tim Cappalli <tim.cappalli@okta.com> Wed, 04 September 2024 20:32 UTC

Return-Path: <prvs=6977cc5c27=tim.cappalli@okta.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D94CC17C8B0 for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 13:32:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.003
X-Spam-Level:
X-Spam-Status: No, score=-7.003 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=okta.com header.b="WJ4y1zj4"; dkim=pass (1024-bit key) header.d=okta.com header.b="UnqYGLTW"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8DmRejqhwcGq for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 13:31:57 -0700 (PDT)
Received: from mx0a-00553301.pphosted.com (mx0a-00553301.pphosted.com [205.220.164.21]) by ietfa.amsl.com (Postfix) with ESMTP id AE1ADC15793B for <oauth@ietf.org>; Wed, 4 Sep 2024 13:31:57 -0700 (PDT)
Received: from pps.filterd (m0209337.ppops.net [127.0.0.1]) by mx0b-00553301.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 484JV8Zd001540 for <oauth@ietf.org>; Wed, 4 Sep 2024 13:31:56 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=proofpoint-2020; bh=W8fZFbJGw7ZFsvKGZ/ GPwkGXXk9bW+5bRhbd+lhhkIw=; b=WJ4y1zj4UKtFiWHWpYon30okB6eZp1yVYa aIHb9wf5wlLY/kLwm88L3xh7WCC4ee2YtWwFPzTPsGiuShsvuc9/zUnmdh20zv9l PptFDjdndP/lCumRMfHrinK24UfPobxYh2ArfJxNpDi8rX/pGGi1P2DpKZGKOmgR MRGXlvUnJpMG9ptzot/Ww6w7hT/O8ThxL2muvytWm19F1uL5eNXRuZQY8nwUfIQj 2SDHb3KqzDBSxfco4Kjw57opz3KxNhzWXCriwW9nTWyb7nXFiJvNerayJyweE9TK ILUE5pyI8VkMOR9srT7Ht6qsgV1uhyrDpYFJR5x3Ur7xzmiItqZg==
Received: from mail-il1-f198.google.com (mail-il1-f198.google.com [209.85.166.198]) by mx0b-00553301.pphosted.com (PPS) with ESMTPS id 41bymxfhrw-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 04 Sep 2024 13:31:56 -0700 (PDT)
Received: by mail-il1-f198.google.com with SMTP id e9e14a558f8ab-39f53b1932aso85985ab.3 for <oauth@ietf.org>; Wed, 04 Sep 2024 13:31:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; s=gap; t=1725481915; x=1726086715; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=W8fZFbJGw7ZFsvKGZ/GPwkGXXk9bW+5bRhbd+lhhkIw=; b=UnqYGLTWur7RrIJnzLGjkpZSToxzj+8S+QxNBYdtEb+odYi7mvN0P40j2sQmPpUtKl L29TdELwwhodpFv7O9bWETl3xmbEuWZkjcUAWIYqZPEgUljq44VT5z0DZEnjlQtd5y9H XqzGL7JHiPZlUuxA1ujXUutCFxGQFO0NCZSlo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725481915; x=1726086715; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=W8fZFbJGw7ZFsvKGZ/GPwkGXXk9bW+5bRhbd+lhhkIw=; b=IY4Nv6F2iUaRPur+vCiE3ID4sKA+i+T+OoxhMdPliFzWIt93EWzCfb7kqF2znE80TP 9SB56zdfx0P2Nqf3zI8Svd5SR2rXk/zpXoDvAGMSgG2Ij9tfZlOuv7ozs8i2ZvD0yq2H u7YeAOjjn9Y7pgpCIxeUZZcAdRtpwnTveS4DJnj51/KIriID95sRiDH+K6WfKR6D6BxK NiNenbteEezhGtbcAHzWHqSI0f2Kab+oBDpFhqFUjQknHjkNiRFRf2tVl85Kc0M1IaFk uKs2hFml0xzaV1T5VTu/uMrsKngTtohVBeUySzwwJGxd1FN5gpTP4SfyCSACsRvVYtBS S9LQ==
X-Forwarded-Encrypted: i=1; AJvYcCVIdlPGf0C6Rf7qkwmEspUT7oosw+KoxsMal6fUZG+tfcXND3kqZIUIsN4LInwB45YoSadpEw==@ietf.org
X-Gm-Message-State: AOJu0YyLIN41vz+GxpZVBCV4RX6dl1BuXkK95j3OHPGKG9aIJh66N9kc sppBpGf9UH2oq4tSS+JOrwM1Cr5kOAiDGT75tfFWPnLm1qmJMnoyt14refzgikf/dPy1DPR8oRS hn3MfjeuOvHWzjFGAITyj+9SV1sow0d/jx5erilA/LGZuFIV64vIdpUtPKYecJKO3didtozZsDw 6OTY18piBpq2FG6sVz
X-Received: by 2002:a92:c542:0:b0:39d:4852:ad73 with SMTP id e9e14a558f8ab-39f6a9f5601mr103787155ab.21.1725481914929; Wed, 04 Sep 2024 13:31:54 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHyEFX+vHQzTxRYmLQTS7fHmJAhsW1VtINJWxaSXa9kBqFnjAPrH7yASZMhbQYOPd118RTD85zPkTBT0n/MWO0=
X-Received: by 2002:a92:c542:0:b0:39d:4852:ad73 with SMTP id e9e14a558f8ab-39f6a9f5601mr103786685ab.21.1725481914455; Wed, 04 Sep 2024 13:31:54 -0700 (PDT)
MIME-Version: 1.0
References: <CAGBSGjoWzmaZ-jWS-VY6h3R7OZkUVMYkGomyM9Yt9UYwuBB2cA@mail.gmail.com> <BCC90022-DF34-469E-8A90-27F7B6767E4F@gmail.com>
In-Reply-To: <BCC90022-DF34-469E-8A90-27F7B6767E4F@gmail.com>
From: Tim Cappalli <tim.cappalli@okta.com>
Date: Wed, 04 Sep 2024 16:31:43 -0400
Message-ID: <CACZ9TyDXYhrQpe1H=53-U7p+fqK9u-z2JX5O=TCg=L5X76oLHQ@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000093fcba062151107e"
X-Gmail-Okta-Auth: Authenticated
X-Gm-Spam: 0
X-Gm-Phishy: 0
X-Proofpoint-ORIG-GUID: owHGOp0vF8ci7wPbQNzhO-VzzRS6bJ9a
X-Proofpoint-GUID: owHGOp0vF8ci7wPbQNzhO-VzzRS6bJ9a
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29 definitions=2024-09-04_18,2024-09-04_01,2024-09-02_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 clxscore=1011 bulkscore=0 phishscore=0 mlxlogscore=999 lowpriorityscore=0 spamscore=0 adultscore=0 suspectscore=0 mlxscore=0 priorityscore=1501 malwarescore=0 impostorscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2407110000 definitions=main-2409040155
Message-ID-Hash: ACFINRPD4LL3KA45MB3UGEBP5F7KT63P
X-Message-ID-Hash: ACFINRPD4LL3KA45MB3UGEBP5F7KT63P
X-MailFrom: prvs=6977cc5c27=tim.cappalli@okta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/8Lmpu-Omt7FBPr-au7dPwghWvMM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

>
> Thanks, that’s good to know. Does it preserve phishing resistance? Ie the
> app cannot spoof the rpId?


The WebAuthn client for native apps is the app platform. The app platform,
aka the OS, handles origin binding using existing app to web domain
association methods (Android Asset Links
<https://developers.google.com/identity/credential-sharing/set-up>, Apple
Associated Domains
<https://developer.apple.com/documentation/xcode/supporting-associated-domains>)
. This is used for both embedded WebViews and native app platform APIs. For
System WebView, the WebAuthn client is the web platform, just like a
browser (WebView details: Android
<https://passkeys.dev/docs/reference/android/#webviews>, iOS
<https://passkeys.dev/docs/reference/ios/#webviews>, macOS
<https://passkeys.dev/docs/reference/macos/#webviews>).

So, long story short, yes.

On Wed, Sep 4, 2024 at 12:41 PM Neil Madden <neil.e.madden@gmail.com> wrote:

>
>
> On 4 Sep 2024, at 17:09, Aaron Parecki <aaron@parecki.com> wrote:
>
> 
> A native UI does not rule out WebAuthn/FIDO, in fact we have an
> in-progress branch of the draft that shows how you could support passkeys
> with this spec: https://github.com/aaronpk/oauth-first-party-apps/pull/93
>
>
> Thanks, that’s good to know. Does it preserve phishing resistance? Ie the
> app cannot spoof the rpId?
>
>
> While there isn't an RFC for authenticating first-party apps, there is
> plenty of precedent for doing so already using the Apple and Android APIs.
> There is an adopted in-progress draft that could standardize this as well:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/
> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/__;!!PwKahg!9rA-xLjriUl902lceiCiH6n9dEH_lrJR24HFJDPOKfVVmrh85ruqzBatSp5qEOCG1imuRFPrUerw6WixDMIB5LFQ$>
>
>
> Also good to know. Is the intent to restrict the draft to just mobile apps
> (and ones with secure enclaves?), or also desktop?
>
> I’d be a lot more comfortable with the draft if this SHOULD in section 1.1
> became a MUST:
>
> “ This specification MUST NOT be used by third party applications, and
> the authorization server SHOULD take measures to prevent use by third
> party applications. (e.g. only enable this grant for certain client IDs,
> and take measures to authenticate first-party apps when possible.)”
>
> — Neil
>
>
> Aaron
>
> On Wed, Sep 4, 2024 at 7:37 AM Neil Madden <neil.e.madden@gmail.com>
> wrote:
>
>> I am a bit skeptical about this one. I’m not convinced we should be
>> recommending native UI until/unless we have a really good story around
>> authenticating first-party apps. Without such a story, I don’t think this
>> should be adopted. Unless I’m mistaken, a native UI also rules out
>> WebAuthn/FIDO-based authenticators? We should not be adopting drafts that
>> increase phishing risks for the sake of aesthetics.
>>
>> — Neil
>>
>> On 3 Sep 2024, at 11:46, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
>> wrote:
>>
>> All,
>>
>> As per the discussion in Vancouver, this is a call for adoption for the
>> First Party Apps draft:
>> https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/
>> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/__;!!PwKahg!9rA-xLjriUl902lceiCiH6n9dEH_lrJR24HFJDPOKfVVmrh85ruqzBatSp5qEOCG1imuRFPrUerw6WixDO9Lta0Z$>
>>
>> Please, reply on the mailing list and let us know if you are in favor or
>> against adopting this draft as WG document, by *Sep 17th*.
>>
>> Regards,
>>  Rifaat & Hannes
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>