Re: [OAUTH-WG] Updated text for Native Apps
Anthony Nadalin <tonynad@microsoft.com> Wed, 15 June 2011 17:26 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6220121F8526 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 10:26:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.466
X-Spam-Level:
X-Spam-Status: No, score=-7.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lD18I8Q83hnb for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 10:26:21 -0700 (PDT)
Received: from smtp.microsoft.com (smtp.microsoft.com [131.107.115.215]) by ietfa.amsl.com (Postfix) with ESMTP id EE4BC21F84F2 for <oauth@ietf.org>; Wed, 15 Jun 2011 10:26:20 -0700 (PDT)
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (157.54.79.174) by TK5-EXGWY-E802.partners.extranet.microsoft.com (10.251.56.168) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 15 Jun 2011 10:26:20 -0700
Received: from CH1EHSOBE003.bigfish.com (157.54.51.113) by mail.microsoft.com (157.54.79.174) with Microsoft SMTP Server (TLS) id 14.1.289.8; Wed, 15 Jun 2011 10:26:20 -0700
Received: from mail161-ch1-R.bigfish.com (216.32.181.173) by CH1EHSOBE003.bigfish.com (10.43.70.53) with Microsoft SMTP Server id 14.1.225.22; Wed, 15 Jun 2011 17:25:55 +0000
Received: from mail161-ch1 (localhost.localdomain [127.0.0.1]) by mail161-ch1-R.bigfish.com (Postfix) with ESMTP id EFF499B02AD for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 15 Jun 2011 17:25:54 +0000 (UTC)
X-SpamScore: -27
X-BigFish: PS-27(zz9371M1418Mzz1202h1082kzz1033IL8275bh8275dhz31h2a8h668h839h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:157.55.61.146; KIP:(null); UIP:(null); IPV:SKI; H:CH1PRD0302HT007.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail161-ch1: transitioning domain of microsoft.com does not designate 157.55.61.146 as permitted sender) client-ip=157.55.61.146; envelope-from=tonynad@microsoft.com; helo=CH1PRD0302HT007.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail161-ch1 (localhost.localdomain [127.0.0.1]) by mail161-ch1 (MessageSwitch) id 1308158733122967_25231; Wed, 15 Jun 2011 17:25:33 +0000 (UTC)
Received: from CH1EHSMHS015.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.254]) by mail161-ch1.bigfish.com (Postfix) with ESMTP id 8ECC9BF0001; Wed, 15 Jun 2011 17:24:13 +0000 (UTC)
Received: from CH1PRD0302HT007.namprd03.prod.outlook.com (157.55.61.146) by CH1EHSMHS015.bigfish.com (10.43.70.15) with Microsoft SMTP Server (TLS) id 14.1.225.22; Wed, 15 Jun 2011 17:24:11 +0000
Received: from CH1PRD0302MB115.namprd03.prod.outlook.com ([169.254.1.97]) by CH1PRD0302HT007.namprd03.prod.outlook.com ([10.28.29.126]) with mapi id 14.01.0225.052; Wed, 15 Jun 2011 17:24:11 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Chuck Mortimore <cmortimore@salesforce.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Updated text for Native Apps
Thread-Index: AcwfuUhXW2Le+9y8kkuEJ9o0yOMTnALwJeCgAAE6gmAAAFyrYAAAGH/w
Date: Wed, 15 Jun 2011 17:24:10 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E72311DF72@CH1PRD0302MB115.namprd03.prod.outlook.com>
References: <CA0A7531.1A8EC%cmortimore@salesforce.com> <90C41DD21FB7C64BB94121FBBC2E7234475E986ACE@P3PW5EX1MB01.EX1.SECURESERVER.NET> <B26C1EF377CB694EAB6BDDC8E624B6E72311DEC3@CH1PRD0302MB115.namprd03.prod.outlook.com> <90C41DD21FB7C64BB94121FBBC2E7234475E986AEF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234475E986AEF@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.28.29.112]
Content-Type: multipart/alternative; boundary="_000_B26C1EF377CB694EAB6BDDC8E624B6E72311DF72CH1PRD0302MB115_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: CH1PRD0302HT007.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%HUENIVERSE.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%SALESFORCE.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14MLTC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14MLTC103.redmond.corp.microsoft.com
Subject: Re: [OAUTH-WG] Updated text for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 17:26:24 -0000
Not seeing what you write about below, I think that the basic text that was discussed at the F2F has consensus around the guidance (with some changes that were discussed and Chuck provided), I think that some of the other thoughts people have thrown out don't. I disagree with dropping the text as there is not consensus to do that, since there was an action item to put text back in. From: Eran Hammer-Lahav [mailto:eran@hueniverse.com] Sent: Wednesday, June 15, 2011 10:19 AM To: Anthony Nadalin; Chuck Mortimore; oauth@ietf.org Subject: RE: Updated text for Native Apps This working group has failed, for well over a year, to reach any sort of consensus regarding which grant types are suitable for a given client type. There was no draft between 00 and 16 in which we had agreement on the definition of client types, or the exclusivity of any flow to any given type. Trying to reach such a conclusion is a waste of time. The main reason for this is lack of deployment experience. We have pretty good experience with some cases like a server-based client capable of keeping secrets, and browser-based clients executing fully visible source code. We clearly do not even have a clear definition of what is a native application and the recent attempt to define a native application client type seems to cause more confusion than help. While there is clearly an expectation that the specification will offer guidance to native application developers, I have yet to see any such text gaining consensus. My suggestion is to drop this attempt, but if a new text gain consensus, I'll incorporate it. EHL From: Anthony Nadalin [mailto:tonynad@microsoft.com]<mailto:[mailto:tonynad@microsoft.com]> Sent: Wednesday, June 15, 2011 10:10 AM To: Eran Hammer-Lahav; Chuck Mortimore; oauth@ietf.org<mailto:oauth@ietf.org> Subject: RE: Updated text for Native Apps Since Torsten and I had the action item to propose text we will update the text based upon the list and give you back an update From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org]<mailto:[mailto:oauth-bounces@ietf.org]> On Behalf Of Eran Hammer-Lahav Sent: Wednesday, June 15, 2011 9:33 AM To: Chuck Mortimore; oauth@ietf.org<mailto:oauth@ietf.org> Subject: Re: [OAUTH-WG] Updated text for Native Apps Is there an updated text based on the long thread? EHL From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org]<mailto:[mailto:oauth-bounces@ietf.org]> On Behalf Of Chuck Mortimore Sent: Tuesday, May 31, 2011 10:37 AM To: oauth@ietf.org<mailto:oauth@ietf.org> Subject: [OAUTH-WG] Updated text for Native Apps Minor updates for section 9 based upon feedback from the list -cmort ---------------- 9. Native Applications A native application is a client which is installed and executes on the end-user's device (i.e. desktop application, native mobile application). Native applications require special consideration related to security, platform capabilities, and overall end-user experience. The following are examples of how native applications may utilize OAuth: o Initiate an Authorization Request using an external user-agent: The native application can capture the response from the authorization server using a variety of techniques such as the use of a redirection URI identifying a custom URI scheme (registered with the operating system to invoke the native application as handler), manual copy-and-paste, running a local webserver, browser plug-ins, or by providing a redirection URI identifying a server-hosted resource under the native application's control, which in turn makes the response available to the native application. o Initiate an Authorization Request using an embedded user-agent: The native application obtains the response by directly communicating with the embedded user-agent. Techniques include monitoring state changes emitted during URL loading, monitoring http headers, accessing the user-agent's cookie jar, etc. When choosing between launching an external user-agent and an embedding a user-agent, native application developers should consider the following: o External user-agents may improve completion rate as the end-user may already have an active session with the authorization server removing the need to re-authenticate, and provide a familiar user-agent user experience. The end-user may also rely on extensions or add-ons to assist with authentication (e.g. password managers or 2-factor device reader). o Embedded user-agents may offer an improved end-user flow, as they remove the need to switch context and open new windows. o Embedded user-agents pose a security challenge because end-users are authenticating in an unidentified window without access to the visual protections offered by many user-agents. Embedded user-agents educate end-user to trust unidentified requests for authentication (making phishing attacks easier to execute). When choosing between implicit and authorization code grant types, the following should be considered: o Native applications that use the authorization code grant type flow SHOULD do so without client password credentials, due to their inability to keep those credentials confidential. o Native applications that use the implicit grant type may offer optimized performance in some scenarios due to reduced network requests o The implicit grant type does not return a refresh token
- [OAUTH-WG] Updated text for Native Apps Chuck Mortimore
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Anthony Nadalin
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Anthony Nadalin
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Lodderstedt, Torsten
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Chuck Mortimore