Re: [OAUTH-WG] Native clients & 'confidentiality'

Paul Madsen <> Mon, 19 December 2011 20:45 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E330621F853B for <>; Mon, 19 Dec 2011 12:45:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.598
X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id oT+rfyRzpj92 for <>; Mon, 19 Dec 2011 12:45:38 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id C443C21F853A for <>; Mon, 19 Dec 2011 12:45:37 -0800 (PST)
Received: by vbbfo1 with SMTP id fo1so3661038vbb.31 for <>; Mon, 19 Dec 2011 12:45:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=qVMXFF8p+oWpit34DgVAPyTkjWNpeNY45HIKHP141cw=; b=MdWnw/TjT+fn24C5QBGPkHPxZCFhe/mgYZq2g9pFkiVKqB19sYf48aa9fjuW2NL2SD dsALpPK0IqwoE+UvK7V0vGOUUtQZr5emtV+J8LG8R4rkbDHhOHGVNQ4NfrD/5I11PTOs 3CgflmbxpexZ1J97HMx+Ww1fDyZcXxEhMQsHo=
Received: by with SMTP id da11mr12191009vdb.111.1324327535972; Mon, 19 Dec 2011 12:45:35 -0800 (PST)
Received: from pmadsen-mbp.local ( []) by with ESMTPS id l9sm17380869vde.13.2011. (version=SSLv3 cipher=OTHER); Mon, 19 Dec 2011 12:45:35 -0800 (PST)
Message-ID: <>
Date: Mon, 19 Dec 2011 15:45:33 -0500
From: Paul Madsen <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0
MIME-Version: 1.0
To: John Kemp <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------020907070708020309080604"
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 19 Dec 2011 20:45:39 -0000

thanks John, inline

On 12/19/11 3:20 PM, John Kemp wrote:
> Hey Paul,
> On Dec 19, 2011, at 2:49 PM, Paul Madsen wrote:
>> Hi John, the user identity&  credentials are definitely fundamental (they allow the video content to be personalized), but given the valuable nature of the resources being accessed, many Resource Owners (that produce the video content) will expect that the clients be able to authenticate with its own credentials as well.
> In which case, YMMV right, as usual, depending on the ability of the client to keep a secret? So, the expectation that clients can reliably authenticate seems still only reliable as those clients' platforms typically are (which is to say, not very reliable when put in the hands of consumers).
indeed, which points out that 'confidentiality <--> public' is a continuum.
>> Wrt storing the user's credentials on the device, we are profiling the authz code grant type - we don't want passwords on the device , or even traded via RO creds grant type. But was that the question?
> I was just trying to figure out why you care whether the client can keep a secret, assuming that it's actually and only the user authentication which determines whether the content may be accessed. If we're talking about protecting the user from phishing, you may not be as reliant on a client secret as if the content may be accessed only by authorized software installations in addition to authorized users.
A decision to release a vid could depend both on the user's 
subscriptions as well as the client being registered/valid. So, yes we 
care about clients keeping secrets, and so are able to authenticate to 
the AS in order to get tokens

As Justin pointed out, the challenge is more in getting the secret to a 
native client than keeping it hidden once obtained.

> - John
>> thanks
>> paul
>> On 12/19/11 1:21 PM, John Kemp wrote:
>>> Hi Paul,
>>> On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote:
>>>> Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server&  native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint.
>>> Well… from your description of your case (e.g. "based on a user's subscriptions"), I'm not sure whether the client (software) designation makes much difference. Am I correct in thinking that the credentials which really need to be protected are those assigned to a user, rather than those assigned to a client? In which case, wouldn't it be possible for even a 'public' OAuth client to acquire them from the user dynamically (rather than storing them on the device) and pass them encrypted or hashed to the server?
>>> Cheers,
>>> - John
>>>> thanks
>>>> paul
>>>> On 12/19/11 12:18 PM, Michael Thomas wrote:
>>>>> On 12/19/2011 04:19 AM, Paul Madsen wrote:
>>>>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case)
>>>>>> We want to support both server&  native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2.
>>>>>> OAuth 2 distinguishes confidential&  public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't.
>>>>>> Notwithstanding the above definition, the spec gives a degree of discretion to the AS
>>>>>>     The client type designation is based on the authorization server's
>>>>>>     definition of secure authentication and its acceptable exposure
>>>>>>     levels of client credentials.
>>>>>> Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server&  native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate?
>>>>> Hi,
>>>>> Can you say exactly what your security requirements are before trying to determine which
>>>>> (if either) is the right answer? I've got some concerns in this area that I'm trying to understand
>>>>> and am not sure if they're related to your concern or not. Part of this is that I really don't
>>>>> understand what the difference is between a "public" client and a "confidential client" and
>>>>> rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever*
>>>>> be a "confidential" client, and if so how?
>>>>> Mike
>>>> _______________________________________________
>>>> OAuth mailing list