Re: [OAUTH-WG] Native clients & 'confidentiality'

John Kemp <> Mon, 19 December 2011 19:35 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2C99D11E80B8 for <>; Mon, 19 Dec 2011 11:35:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.265
X-Spam-Status: No, score=-2.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wyiCqwQ4sY8h for <>; Mon, 19 Dec 2011 11:35:06 -0800 (PST)
Received: from ( []) by (Postfix) with SMTP id 9A32F11E80B7 for <>; Mon, 19 Dec 2011 11:35:06 -0800 (PST)
Received: (qmail 3603 invoked by uid 0); 19 Dec 2011 19:34:45 -0000
Received: from unknown (HELO ( by with SMTP; 19 Dec 2011 19:34:45 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=To:References:Message-Id:Content-Transfer-Encoding:Cc:Date:In-Reply-To:From:Content-Type:Mime-Version:Subject; bh=Nz1tMWMf5zpf/sUbNQGDGVIFowHR8hSjOt1EiA4Y4wU=; b=C9TM8/sipBRJjA3rDfDbBnQ8+fosW7qC7ULwjvfW0t0OIwHuDtnLZBASMShGhGTcghVvyIsHUdfljFCE58ZKflgs22TbuIttd8RVVjqTtlgFuBhdj+fAMtgpXNNnBaXq;
Received: from ([] helo=[]) by with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.76) (envelope-from <>) id 1Rciyz-00026R-3U; Mon, 19 Dec 2011 12:34:45 -0700
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="windows-1252"
From: John Kemp <>
In-Reply-To: <>
Date: Mon, 19 Dec 2011 13:21:20 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Paul Madsen <>
X-Mailer: Apple Mail (2.1251.1)
X-Identified-User: {} {sentby:smtp auth authed with}
Subject: Re: [OAUTH-WG] Native clients & 'confidentiality'
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 19 Dec 2011 19:35:07 -0000

Hi Paul,

On Dec 19, 2011, at 12:50 PM, Paul Madsen wrote:

> Hi Mike, to some extent I think my question is not about specific security characteristics, but rather whether its realistic for our group to mandate that both server & native clients have the *same* security characteristics - particularly the ability to 'securely' authenticate to the AS on the token endpoint.

Well… from your description of your case (e.g. "based on a user's subscriptions"), I'm not sure whether the client (software) designation makes much difference. Am I correct in thinking that the credentials which really need to be protected are those assigned to a user, rather than those assigned to a client? In which case, wouldn't it be possible for even a 'public' OAuth client to acquire them from the user dynamically (rather than storing them on the device) and pass them encrypted or hashed to the server?


- John

> thanks
> paul
> On 12/19/11 12:18 PM, Michael Thomas wrote:
>> On 12/19/2011 04:19 AM, Paul Madsen wrote: 
>>> Hi, the Online Media Authorization Protocol (OMAP) is a (as yet unreleased) profile of OAuth 2.0 for online delivery of video content based on a user's subscriptions (the TV Everywhere use case) 
>>> We want to support both server & native mobile clients. It is for the second class of clients that I'd appreciate some clarification of 'confidentiality' as defined in OAuth 2. 
>>> OAuth 2 distinguishes confidential & public clients based on their ability to secure the credentials they'd use to authenticate to an AS - confidential clients can protect those credentials, public clients can't. 
>>> Notwithstanding the above definition, the spec gives a degree of discretion to the AS 
>>>    The client type designation is based on the authorization server's 
>>>    definition of secure authentication and its acceptable exposure 
>>>    levels of client credentials. 
>>> Give this discretion, is it practical for the OMAP spec to stipulate that 'All Clients (both server & native mobile), MUST be confidential', ie let each individual OMAP AS specify its own requirements of clients and their ability to securely authenticate? 
>> Hi, 
>> Can you say exactly what your security requirements are before trying to determine which 
>> (if either) is the right answer? I've got some concerns in this area that I'm trying to understand 
>> and am not sure if they're related to your concern or not. Part of this is that I really don't 
>> understand what the difference is between a "public" client and a "confidential client" and 
>> rereading the draft isn't helping me. In particular, can a iPhone app with a UIWebView *ever* 
>> be a "confidential" client, and if so how? 
>> Mike 
> _______________________________________________
> OAuth mailing list