Re: [OAUTH-WG] best practice for Native app + state param?
George Fletcher <gffletch@aol.com> Tue, 19 January 2016 19:32 UTC
Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B77731B34E6 for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 11:32:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MYybR2K5Kwup for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 11:32:09 -0800 (PST)
Received: from omr-m001e.mx.aol.com (omr-m001e.mx.aol.com [204.29.186.1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CBA91B34E2 for <oauth@ietf.org>; Tue, 19 Jan 2016 11:32:09 -0800 (PST)
Received: from mtaout-mae01.mx.aol.com (mtaout-mae01.mx.aol.com [172.26.254.141]) by omr-m001e.mx.aol.com (Outbound Mail Relay) with ESMTP id 5430238000BD; Tue, 19 Jan 2016 14:32:08 -0500 (EST)
Received: from [10.172.102.124] (unknown [10.172.102.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mae01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id ED6E538000089; Tue, 19 Jan 2016 14:32:07 -0500 (EST)
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
References: <CAOahYUzV2hn0cdbpZf6zqm70aWEt6fOiUm6ttfS7Ai6FrF+ofw@mail.gmail.com> <8D27A368-436A-4DBA-96B6-8CC76253F7AF@mit.edu>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <569E8F37.9040508@aol.com>
Date: Tue, 19 Jan 2016 14:32:07 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <8D27A368-436A-4DBA-96B6-8CC76253F7AF@mit.edu>
Content-Type: multipart/alternative; boundary="------------090308090806070809010400"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1453231928; bh=03Gv8pNf3e4rJPSIt7y7D1nSIRteMcsCGo51ZvEo+js=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=k55nslZkl//P1KHWxA+DChDrUwkLYiPM94OBzIW6M5//Zujn796oTHQyNfQePlHp2 C0ZTgDPuNnw/9gCkPbK3ynVsQLA58F/B78fLv61XDVKw4yhzH9hUVYjuDlkxe6RV3Z szavrIIU2Igc/3ZAM92PdZzwZy6SHFAFaU1L8xwM=
x-aol-sid: 3039ac1afe8d569e8f373f79
X-AOL-IP: 10.172.102.124
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/9A8shvzvjBxRGkQvk2i_AGDiypg>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] best practice for Native app + state param?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2016 19:32:11 -0000
+1 to both using state and PKCE (especially when using system web controllers; e.g. safari-view-controller). On 1/19/16 11:29 AM, Justin Richer wrote: > I think there’s no advice because it’s not different: you should still be using the state parameter. Just use a random value with high enough entropy, which is also what most web applications do (the advice in the spec is weird and I think a remnant of Bradley making things too complicated in his advice). In a web app, it gets tied to the session cookie back on the server, you don’t need any particularly fancy binding beyond your usual session management. In a native app, just store it in the application before you send it and look it up on the way back to make sure it matches. Combine this with PKCE and you’ve got a pretty solid set of protections for native apps. > > — Justin > >> On Jan 19, 2016, at 10:18 AM, Adam Lewis <Adam.Lewis@motorolasolutions.com> wrote: >> >> Hi, >> >> I have not been able to find any usage for the state parameter in authorization requests for native apps. Further, the spec guidance of using a hash of the session cookie as the value of the state param doesn't apply for native apps. >> >> draft-wdenniss-oauth-native-apps is silent on the matter. >> >> Usage of state seems to be unique to clients conforming to the web app profile. >> >> Bottom line, looking to vet that it's safe to omit the state parameter in the authorization request for native apps, and that I'm not missing something critical. >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Chief Architect Identity Services Engineering Work: george.fletcher@teamaol.com AOL Inc. AIM: gffletch Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch Office: +1-703-265-2544 Photos: http://georgefletcher.photography
- [OAUTH-WG] best practice for Native app + state p… Adam Lewis
- Re: [OAUTH-WG] best practice for Native app + sta… Justin Richer
- Re: [OAUTH-WG] best practice for Native app + sta… George Fletcher