Re: [OAUTH-WG] Authorization handover from mobile app to website
"SOMMER, DOMINIK" <dominik.sommer@milesandmore.com> Thu, 18 March 2021 16:25 UTC
Return-Path: <prvs=704c39ea6=dominik.sommer@milesandmore.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 531C03A2EE5 for <oauth@ietfa.amsl.com>; Thu, 18 Mar 2021 09:25:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.066
X-Spam-Level:
X-Spam-Status: No, score=-3.066 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.248, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=milesandmore.com header.b=mAAAxS+X; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=lufthansagroup.onmicrosoft.com header.b=E2SJMMFU
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6-h62x7RrLOz for <oauth@ietfa.amsl.com>; Thu, 18 Mar 2021 09:25:00 -0700 (PDT)
Received: from mx4.lhsystems.com (mx4.lhsystems.com [80.77.214.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 988AF3A2EE2 for <OAUTH@ietf.org>; Thu, 18 Mar 2021 09:24:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=milesandmore.com; i=@milesandmore.com; q=dns/txt; s=ibmqlh-201908-AACwux8Wm9; t=1616084699; x=1647620699; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=WK2b8BGyfvIfFUFPpmNY+Cs3j2Hmm/yniCAntHWt9R8=; b=mAAAxS+XYGfLbMogamrekD+rEd6qolYGXHpZgjR9vZ1Lnkg6iyKl+Hhc Nd3d4BFRpAEZGDS1vrxboEgxwPKkyi6XzCKfVAMeW2SJvry5iBNX+/wsd wODsto0J35PJntlW6eUsyx/UWo1zzBwQCl07U/UnD2EvQizwdb3jE2Hf6 U=;
IronPort-SDR: RzzanwuCyWzW5MElaAYzfCuP63JYG617wqWX+2sMG9nyqyBW3ANnZC0E3zC9p6hrSI3ak7KW6F ujIzr1y3VeOw==
X-IronPort-Anti-NAV: true
X-TimeStamp-GMT1: 18 Mar 2021 16:24:55 -0000
Received: from unknown (HELO smailin.ads.dlh.de) ([57.56.251.110]) by mx4.lhsystems.com with ESMTP/TLS/ECDHE-RSA-AES256-SHA; 18 Mar 2021 17:24:55 +0100
Received: from SW-FRAADS-EDG03.cns.fra.dlh.de (57.20.0.12) by SW-FRAADS-HUB41.ads.dlh.de (57.56.251.110) with Microsoft SMTP Server (TLS) id 14.3.498.0; Thu, 18 Mar 2021 17:24:54 +0100
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (104.47.12.59) by mxO365.app.lufthansa.com (80.77.212.236) with Microsoft SMTP Server (TLS) id 14.3.498.0; Thu, 18 Mar 2021 17:24:50 +0100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Xl7/Da0WnBOoeAjolTP7rkcW3ZJqN5DUkvTRruqscgBTgWXyxkPMkOJvHAD7GK2qc8Qj1EMBqiW40XTORz5/P8cE+o5JZlE8aGGbjlOusENK9oxKdO9m/znQrvw+fl7s2l9erQ+BvFeT1ScDizOjX/x4ft93vzzRPHwomC1aE65eJnQZbGhuf64VQ+ZIjdcLMfj0RJxNtlLFGPM+4jIIOSPLtpyEiSDCelcNARfOzlpe4ukin/eu2mLT6LLoG/RJJWwlWyE9wQZvwr3gcTzoGcAmuOFLH1D1krH436QDEbppWcl8j3RAivIAsEaZ8Maa4Fm3L7mBh5Qngx0slPktVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D0eU90t8GYQ50s5jjFUxLEcZhnRGwHeqjxc01zVDJ5Y=; b=DHZy3lOMrya0kwvuM4dOAtSsWhfVpZQ+i3MOxD8hXp1zJnIm76xWrsW4ZmmT5aizjtIlVeN1lXzNlwWNztThJdiIBf2snDGkLf3l1h4XtzxnUVW0pu+Gsf4aKQxo7ebMwNxX7mfEoZCflBDtX8FCsKZWKhPJQJYH1x/Tqj1p0t28TMfVn/IgXQ2SFS1hv6FojcFAVaFlll+l0Bl2QTg745mMJiwAdTqeh8Eh8o0Ohu+cBskkf0WCh+qUl1A/UlXMeiSK1As2AnF0yx2xMce477HEYTGBv/d3cfP/miPE0Xy3V4behGS4CGTMi4DUUap1bZeFlCCHbehxSSn1rxDpEA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=milesandmore.com; dmarc=pass action=none header.from=milesandmore.com; dkim=pass header.d=milesandmore.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lufthansagroup.onmicrosoft.com; s=selector1-lufthansagroup-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D0eU90t8GYQ50s5jjFUxLEcZhnRGwHeqjxc01zVDJ5Y=; b=E2SJMMFU9nRo8v4evCu97e1RykrO6ObgLF3nA3Gulh41inej7cWHorM4rpFiuRlXTCHIXBADr27iiKMGRbwb7QaOqVTfzbT/WeSfGJMAuCnazBIKu7cgZIbD/npzjP4a91ch6MQNDMhBzMLcewoMcJtWtiw4/rn81OfYKLxpYAw=
Received: from AM0PR09MB2803.eurprd09.prod.outlook.com (2603:10a6:208:12a::26) by AM0PR09MB3828.eurprd09.prod.outlook.com (2603:10a6:208:17f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3955.18; Thu, 18 Mar 2021 16:24:53 +0000
Received: from AM0PR09MB2803.eurprd09.prod.outlook.com ([fe80::8f3:8afe:b1ac:a202]) by AM0PR09MB2803.eurprd09.prod.outlook.com ([fe80::8f3:8afe:b1ac:a202%5]) with mapi id 15.20.3955.018; Thu, 18 Mar 2021 16:24:53 +0000
From: "SOMMER, DOMINIK" <dominik.sommer@milesandmore.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Authorization handover from mobile app to website
Thread-Index: AdcXaacLNtOdMDj0St6EfHA8PBlqLQAU63GAARU/U8A=
Date: Thu, 18 Mar 2021 16:24:43 +0000
Deferred-Delivery: Thu, 18 Mar 2021 16:24:15 +0000
Message-ID: <AM0PR09MB2803921ED89FBD965ACB76BAF3699@AM0PR09MB2803.eurprd09.prod.outlook.com>
References: <AM0PR09MB2803A357A8B7E19CEC415A52F36F9@AM0PR09MB2803.eurprd09.prod.outlook.com> <B2FF4E21-7FA9-411A-816D-CE30125EB99A@gmail.com>
In-Reply-To: <B2FF4E21-7FA9-411A-816D-CE30125EB99A@gmail.com>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=milesandmore.com;
x-originating-ip: [193.24.32.58]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 40482666-2f5c-4d22-ffe4-08d8ea2a5cbc
x-ms-traffictypediagnostic: AM0PR09MB3828:
x-microsoft-antispam-prvs: <AM0PR09MB382850B2C46D68D198848E5AF3699@AM0PR09MB3828.eurprd09.prod.outlook.com>
x-eop: bypass_spam_filtering
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jk9zTBnV5UqYSxANs0rjx/fxdhDMj0m7UsA3TQSUlAmq2xIZLUgbLiSvFSVP0vL6dKZpfd+MDoLYTFmpLhahVEdvcBk54yf1gVu2gYdbCkd4GSbjDxa/+L3aq4xeZnMGKLYHqoWOWG7ZVfURZFJihsCgI6jWZwZnwe1CKunupS1loXRC74ynlb1q0hOCIjd9PW9xlIYboqPGf79hSU4wlWaaJt1dqODyKrvM/vKF7TqsTkVxUhuKX9v9/D3cM2uPk453onBn4a/6Cn2gs1Z0q6sWMrf6SMiYPCz6k4ZCkszEuGmA+THufKvlU7jck1DG/Bz9/Sj3vsQHApD4vqSPV2Uj6L+3Udu+PEt+1JwN/RF0bSP23Yyb/ciYM/E3/eIXqQ7qjY/3d9wMuiH6xfLY2x/0eV5dG5mxNcqka/KMYWEVbTGczEjmLknMO2orWMOK0txphC/arWMTBlD2SBJZhOb0dgEwILVSoI19WNT1bLTZKt9ks9NBShlcdHA2UA/87L1M3hkyZxdvEcH51nTBTGPCnD2LZSId/zh7dQo5QPH/4ayxagRQ4H4TI5Gugy0cKGUeFSx/n5gAh0Sq7ErKHsPmkNN6P5yzVktS+Nw27gyaRUea1Mh5Uyz/KabAWiJ9bOlSicE5B2Ax42JQKDK+9NP32wH9ym9EbDqtLYh8d/5MecoDWmBeDi9GchRByys5rQFnQYrbR1nHNuA4/s9hLw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR09MB2803.eurprd09.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39860400002)(136003)(396003)(346002)(376002)(64756008)(9686003)(76116006)(66446008)(66476007)(6666004)(316002)(19627235002)(83380400001)(2906002)(66574015)(8676002)(86362001)(55016002)(66556008)(8936002)(166002)(66946007)(71200400001)(38100700001)(966005)(26005)(478600001)(5660300002)(186003)(33656002)(6506007)(7696005)(52536014)(6916009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: FKijdJHLPOnGkgSmI1q1jZfLtP80pSNiQPzyjB5eUCCWMWUFRDQnFgNUHfKPyFhTOCMU8gU2i7EzYdsC3+4XUAqGz6J1LMETuwXqkaFEQWG0Hrn/tgirTXkaizeOqc4uc1QG5RVxaau5aE3NBnJ+PAC3wKmiYgr6WogdbRIJpH/nv7PVOSNCJucIPyvSTdQ/qJhqprmbyJeb7NHnNEV2BSV0kuKQf8PuukN0HDeJXbXr+bqJ6PbNBzlafx/E+vYDgSm6hiwjStfuRfgvDfAi8N+AOdu5YC9LIJmzQrsFpiBz3TZyzGokoZhSBMdsab9BwpdhhhRfDY+ngpntw3vs0rV+PdwIDJNErjmwTExLkxpcgmfdhZSmRxSvxWOQD1014opGdFAjKXF3p5G24ucozoJCO20fVTz9acg5+eJxBgMD6eRT13LiIlhc+sBF2APEtIlmy1/gmAJvh/8LwLgOrO2rRIi2sXCATkxcxHsacAHVD9IDxbecJLCybhspra5OjZ/l4fwuhezd2esVA7d+HfPeWANWSjS7npN+VRCscLKJF1sfUDAelQ3glQl+XNAfAgkdMZMssZD2z5U4if/Inq/1u08KuSC4G0+DVwgZHnIqtHG2DPPcTwLG20sk9RFFYNqWapJtNYXK8pT5JE1u6vx/HjKf2efw5RSjD6G+UYDoiF1ar1FfUmN7xVMkvXLi3HodxvWb5yzorEAOFmZhl1KoXhpbeltKJiIh2IhOrTcT3K/UWdwNtraQkvfZ0PeOeVEbslhp/9Qg4MrgYmZv3ECFX2QKfvxgsz4+kemVYOURnCa/h+3hYrmrzoZBCcOsPZwwlXAdZhvwmFeOqTcp4yqrQeJoIbXB4U+GHGvZhS8dZI6C38Qreca4Z0NZu4Cw2cHAbhR+uLGMaZpEeGqF0dgbdTRPMvHhqcImETcPmATMmfTZ5QYzH8s6FqUyON638Tz22Nmn4i+F+TerQezrO7TIj5XwG6dF7Xrg0dgeGcPXaPL5ndpKUccazZSEPAiOXhMNi+QRmr67sYvor81d8i8I0Gdxk3W72raO66ruBlnJL/Vz+ue/hGA3+gC9ribQFTGrqCk4ZaNA3qxaYQB+pOZDyxw1jkgDt47podztIC/UZowjaG+cMzqD8DNiqP6+A9x8XF70HJ49AnQ1AFzmQXeMMKcZJ5JwLzyxqIgkknaJBX7x3MFUB5apMgSpf36qu5at1A31oWmsNxmOUsK9cHWeTy6pV1qT8P1M5uK//SfGhyZeVXVx6ZQykMG3D2zVtZq+ntUETx0WxaK8+TFfESomddbF43CA7vVdZjQXKm6sOu5cM92EH1JNq3UTXXb3
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR09MB2803921ED89FBD965ACB76BAF3699AM0PR09MB2803eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR09MB2803.eurprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 40482666-2f5c-4d22-ffe4-08d8ea2a5cbc
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Mar 2021 16:24:53.7032 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72e15514-5be9-46a8-8b0b-af9b1b77b3b8
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: DItS3wczntzbfdkEFQSMEaQNoZyZ8/yiTGpZxJYXdPtlPP6SHRnRTxFxkqJtfuvhyb2YapGdcoPQDW5/wMHy8nRwAzHkyBqHr3agaiGb2z8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR09MB3828
X-OriginatorOrg: milesandmore.com
X-EXCLAIMER-MD-CONFIG: 5a548768-c397-4167-aef4-f33627bbf3ec
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Efc9P7Cyol54yZASPDVreMHXxVY>
Subject: Re: [OAUTH-WG] Authorization handover from mobile app to website
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2021 16:25:02 -0000
I have to admit I can’t read the slides, and the flows aren’t quite self-explanatory. However, just based on the headline I can’t quite figure out how to make a client “in the wild” (= the mobile app) a trusted IdP for a backend. This would basically allow anyone reverse-engineering the app (and it’s keypair) to generate arbitrary ID tokens. However, I probably get something wrong ☺ - Dominik Von: Nov Matake <matake@gmail.com> Gesendet: Samstag, 13. März 2021 05:00 An: SOMMER, DOMINIK <dominik.sommer@milesandmore.com> Cc: oauth@ietf.org Betreff: Re: [OAUTH-WG] Authorization handover from mobile app to website You can make your app an OIDC self-issued IdP for your website. One of my clients are using the mechanism for Native App SSO, where an OIDC self-issued IdP embedded in the Native App is acting as IdP for the backend IdP server. Unfortunately I have no english document now, but this slide describes the mechanism. https://speakerdeck.com/rtechkouhou/openid-connect-self-issued-idpwoying-yong-sitasingle-sign-onfalseshi-zhuang iPadから送信 2021/03/13 3:24、SOMMER, DOMINIK <dominik.sommer@milesandmore.com<mailto:dominik.sommer@milesandmore.com>>のメール: Hi all, we have recently launched a mobile app that uses our website’s login and authorization code flow to authenticate and authorize user access (following RFC8252). However, not all of our website features are natively ported to the app itself. Some are only available on the website in logged-in state. That’s why we implemented an authorization handover mechanism based on one-time login codes: This allows the app (in logged-in state) to open a web view and hand over authentication & authorization, effectively logging the user in on the website. This achieves a seamless experience for the user without compromising on security. We came up with this mechanism after researching for prior practice, but we couldn’t find anything applicable for this scenario. Hence, three questions to the list: 1. Did we miss anything in our research? Is there a common best practice available? 2. If the answer to 1. is “No”, would the working group appreciate an RFC draft describing the solution we came up with? (We’d be eager for comments to make it even more secure ☺ ) 3. If the answer to 2. is “Yes”, can someone point me to documentation on the procedure, if such exist? Thanks for your support and best regards, Dominik Sitz der Gesellschaft / Corporate Headquarters: Miles & More GmbH, Frankfurt am Main, Registereintragung / Registration: Amtsgericht Frankfurt am Main HRB 116409 Geschaeftsfuehrung / Management Board: Sebastian Riedle, Dr. Oliver Schmitt Sitz der Gesellschaft / Corporate Headquarters: Miles & More GmbH, Frankfurt am Main, Registereintragung / Registration: Amtsgericht Frankfurt am Main HRB 116409 Geschaeftsfuehrung / Management Board: Sebastian Riedle, Dr. Oliver Schmitt _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Authorization handover from mobile app… SOMMER, DOMINIK
- Re: [OAUTH-WG] Authorization handover from mobile… George Fletcher
- Re: [OAUTH-WG] Authorization handover from mobile… Nov Matake
- Re: [OAUTH-WG] Authorization handover from mobile… SOMMER, DOMINIK