Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
<Sebastian.Ebling@telekom.de> Mon, 06 March 2017 17:29 UTC
Return-Path: <prvs=2311a292c=Sebastian.Ebling@telekom.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D960412948F for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2017 09:29:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.32
X-Spam-Level:
X-Spam-Status: No, score=-4.32 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telekom.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6O7PYvId4PKd for <oauth@ietfa.amsl.com>; Mon, 6 Mar 2017 09:29:28 -0800 (PST)
Received: from MAILOUT31.telekom.de (MAILOUT31.telekom.de [80.149.113.193]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A662129442 for <oauth@ietf.org>; Mon, 6 Mar 2017 09:29:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telekom.de; i=@telekom.de; q=dns/txt; s=dtag1; t=1488821367; x=1520357367; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=W1U7xoI0A8711vByNsQ98cD50dx81AgWMN5WfTqoW7A=; b=wGNfe7iIT5Bae30jztMd19+sbsvS/TdzBMXfv0QkDKcYKuWjwfbZLCkG DgcdXS2/+e046ft4XuOoiJ3jrdA8npJ34uUU7hCmmopouI6HThwja0Wt+ 7rVUiug1jsQkTGSOiJXlMMdrCjMpkDrAewuhaKDUDBrGr9qSwFdD0vzCo xYjSs/SlW5qrWhKTI7SA1/I78AHWgHFDt8TdMwCfaP3sO4/Z5UAhZK0fG WUZ6PPjMvbHGsgy1DYwbYG6p+tUnHYZac1H4WKFwnJbi6zPWq69zbz11H RNVqkVBqTXMPNtMmKU7BfWFReSB3elXZZZYz+ebw2S2k/oV+cuN9WsTXi Q==;
Received: from q4de8psa169.blf.telekom.de ([10.151.13.200]) by MAILOUT31.telekom.de with ESMTP/TLS/RC4-SHA; 06 Mar 2017 18:29:13 +0100
X-IronPort-AV: E=Sophos;i="5.35,254,1484002800"; d="scan'208,217";a="1276819604"
Received: from he105717.emea1.cds.t-internal.com ([10.169.118.53]) by q4de8psazkj.blf.telekom.de with ESMTP/TLS/AES256-SHA; 06 Mar 2017 18:29:13 +0100
Received: from HE105717.EMEA1.cds.t-internal.com (10.169.118.53) by HE105717.emea1.cds.t-internal.com (10.169.118.53) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Mon, 6 Mar 2017 18:29:13 +0100
Received: from HE105717.EMEA1.cds.t-internal.com ([fe80::5881:9115:c037:89f8]) by HE105717.emea1.cds.t-internal.com ([fe80::5881:9115:c037:89f8%26]) with mapi id 15.00.1263.000; Mon, 6 Mar 2017 18:29:13 +0100
From: Sebastian.Ebling@telekom.de
To: wdenniss@google.com
Thread-Topic: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
Thread-Index: AQHSk8PJXZV5QjQC30KF0ZRZ8+KIk6GHgF8Q
Date: Mon, 06 Mar 2017 17:29:13 +0000
Message-ID: <3e60f71398b34f339058905d12e073af@HE105717.emea1.cds.t-internal.com>
References: <0f05922f-ac63-1585-9da1-d54ceda25623@gmx.net> <4acb6b3e0a724da88aa040f556c01b07@HE105717.emea1.cds.t-internal.com> <CAAP42hBRCMMhkahQv7VbH4SRLd=jGLvWnRy5Cf-cGr25bryEdQ@mail.gmail.com>
In-Reply-To: <CAAP42hBRCMMhkahQv7VbH4SRLd=jGLvWnRy5Cf-cGr25bryEdQ@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.157.118.197]
Content-Type: multipart/alternative; boundary="_000_3e60f71398b34f339058905d12e073afHE105717emea1cdstintern_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CkrGPeCSbfjQPCfHaZSAkuNx_XI>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 17:29:31 -0000
Hi William, Thank you very much for your very detailed response! May be I was a bit gruff. I simply expected best practices about Android Account Manager vs. native OAuth in the Android Implementation Details section. I did not realize, that it is addressed by “Non-Browser External User-Agents” within the security considerations. Nevertheless, I highly appreciate this BCP document and also the work that has been done in behind to improve browser integration in Android and iOS. Best regards Sebastian -- Sebastian Ebling / sebastian.ebling@telekom.de / +49 6151 5838207<tel:+4961516807135> Deutsche Telekom AG, Technology Enabling Platforms (PI-TEP) Von: William Denniss [mailto:wdenniss@google.com] Gesendet: Freitag, 3. März 2017 03:13 An: Ebling, Sebastian Cc: oauth@ietf.org<mailto:oauth@ietf.org> Betreff: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07 The Android Account Manager isn't standard OAuth, unlike this BCP. Thus, the Account Manager pattern falls under the security considerations section "Non-Browser External User-Agents" and is officially out of scope of the specification. To answer your question though, this BCP is the Google recommended way to do standards-based OAuth on Android. Some official references: OAuth 2.0 for Mobile & Desktop Apps<https://developers.google.com/identity/protocols/OAuth2InstalledApp> (which directly references this BCP! Scroll to the bottom) Set up SSO with Chrome Custom Tabs with Android for Work<https://developer.android.com/work/guide.html#sso> Your Apps at work - Google I/O 2016<https://youtu.be/Za0OQo8DRM4?t=22m57s> Modernizing OAuth interactions in Native Apps for Better Usability and Security<https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html> NB. every time you see "AppAuth" in those docs, it's a reference to the library that implements the pattern defined by this BCP. The utility of Account Manager really depends on your use-case. I expect that most people who need to deal with non-Google ASes on Android will migrate over to the pattern outlined in this BCP. People who deal exclusively with the Google IdP (e.g. display a Google Sign-in button) will likely keep doing what they're doing, which is fine. The main drawback of the Account Manager pattern was that you need to have an app from the authorization server (AS) installed which can't always be guaranteed. That's why this is less of a problem with Google's IdP, since all phones that have the Play store come with the Google authentication agent. Even if you can guarantee that the authentication app will be installed, there is overhead on the AS such as maintenance and updates for the native authorization app component. I participated in many discussions over a two year period in the OAuth and OpenID communities, and the general consensus was that requiring the AS to provide a native app was a burden, and harmful to interop, which lead to the drafting of this BCP which doesn't require any native code to be maintained and distributed by the AS. On Mon, Feb 27, 2017 at 12:22 AM, <Sebastian.Ebling@telekom.de<mailto:Sebastian.Ebling@telekom.de>> wrote: Hi all, I have a question that relates to section B.2. Android Implementation Details. I understand this as a working group best practice. Unfortunately this does not necessarily meet the Google instruction for Android. There is a lot of documentation out there pointing to the Android Account Manager and I do not get these both together. Any idea? Best Regards Sebastian -- Sebastian Ebling / sebastian.ebling@telekom.de<mailto:sebastian.ebling@telekom.de> Deutsche Telekom AG, Technology Enabling Platforms (PI-TEP) _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to… Hannes Tschofenig
- [OAUTH-WG] review draft-ietf-oauth-native-apps-07 Sebastian.Ebling
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… Brian Campbell
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… Nat Sakimura
- Re: [OAUTH-WG] review draft-ietf-oauth-native-app… William Denniss
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… William Denniss
- Re: [OAUTH-WG] review draft-ietf-oauth-native-app… Sebastian.Ebling