[OAUTH-WG] best practice for Native app + state param?

Adam Lewis <adam.lewis@motorolasolutions.com> Tue, 19 January 2016 15:19 UTC

Return-Path: <adam.lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86EEE1B304D for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 07:19:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.642
X-Spam-Level:
X-Spam-Status: No, score=-1.642 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, KHOP_DYNAMIC=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tc68m48IQ-ak for <oauth@ietfa.amsl.com>; Tue, 19 Jan 2016 07:19:08 -0800 (PST)
Received: from mx0a-0019e102.pphosted.com (mx0a-0019e102.pphosted.com [67.231.149.242]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4EE51B304B for <oauth@ietf.org>; Tue, 19 Jan 2016 07:19:08 -0800 (PST)
Received: from pps.filterd (m0074413.ppops.net [127.0.0.1]) by mx0a-0019e102.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id u0JFEGwK001363 for <oauth@ietf.org>; Tue, 19 Jan 2016 09:19:08 -0600
Received: from mail-yk0-f171.google.com (mail-yk0-f171.google.com [209.85.160.171]) by mx0a-0019e102.pphosted.com with ESMTP id 20hf1ah1cv-1 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Tue, 19 Jan 2016 09:19:08 -0600
Received: by mail-yk0-f171.google.com with SMTP id v14so557467470ykd.3 for <oauth@ietf.org>; Tue, 19 Jan 2016 07:19:07 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=Wu1S1Te4BsvRT8MKPwVTA8mgU5/yD0dSChfaKQTPoY0=; b=GzEGBVSRmF+v5xq86/PKoJ0H+D+sjVEebj+hw53RhPK0tbaT+3bG8H/JC43FFn5smd v+0do/d1HSsG0NJRVD7nc1J0n3ebDUG6HcDtWKRUuWNoYJxScKbcKH4Ajqzp4nJEdIi/ jjRa+TScn7kTyExtk/i6C0Unn0ig4zaHk/Oy5t2nf4ucwpFjmW0f4lksThJ2Mazb6SMA mL6jIWw4Uki4eCXD1+omY25RfXA/EcyJFmUDr19/drkLZ76E09kvcqmzdt4FrR7snDWO 0CnQAnN6PkjwBhggpa3PZatb4VjaGSaBnnsBIgHU4UD01Io9eZAEHUPxlVZgF/717yaR tkGQ==
X-Gm-Message-State: ALoCoQlHwWzoLBtjttev7mDtk7oGaiBlrOcpZgP0NkNi+h7eiqKxTx1yri76WEzxb1ya0pKSZLaMwvn3saSI6n6hE+ccPt+mLhXW17LroAaz7ftvpPgiNeBRqcU0YmYAxgDXa+EQSAfAqY0PzADv5TxFMKagXTeLMQ==
X-Received: by 10.37.89.135 with SMTP id n129mr8183783ybb.102.1453216747178; Tue, 19 Jan 2016 07:19:07 -0800 (PST)
X-Received: by 10.37.89.135 with SMTP id n129mr8183778ybb.102.1453216747052; Tue, 19 Jan 2016 07:19:07 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.196.6 with HTTP; Tue, 19 Jan 2016 07:18:47 -0800 (PST)
From: Adam Lewis <adam.lewis@motorolasolutions.com>
Date: Tue, 19 Jan 2016 09:18:47 -0600
Message-ID: <CAOahYUzV2hn0cdbpZf6zqm70aWEt6fOiUm6ttfS7Ai6FrF+ofw@mail.gmail.com>
To: OAuth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140fd5afd91fd0529b163a6"
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1507310008 definitions=main-1601190263
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/ExZbDfpDJq2F5EeOdILUmmmx6KQ>
Subject: [OAUTH-WG] best practice for Native app + state param?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2016 15:19:09 -0000

Hi,

I have not been able to find any usage for the state parameter in
authorization requests for native apps.  Further, the spec guidance of
using a hash of the session cookie as the value of the state param doesn't
apply for native apps.

draft-wdenniss-oauth-native-apps is silent on the matter.

Usage of state seems to be unique to clients conforming to the web app
profile.

Bottom line, looking to vet that it's safe to omit the state parameter in
the authorization request for native apps, and that I'm not missing
something critical.