Re: [OAUTH-WG] Native Application Text
Mark Mcgloin <mark.mcgloin@ie.ibm.com> Fri, 01 July 2011 08:10 UTC
Return-Path: <mark.mcgloin@ie.ibm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B833621F8795; Fri, 1 Jul 2011 01:10:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.579
X-Spam-Level:
X-Spam-Status: No, score=-6.579 tagged_above=-999 required=5 tests=[AWL=-0.021, BAYES_00=-2.599, MIME_BASE64_BLANKS=0.041, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQWYVswh6D00; Fri, 1 Jul 2011 01:10:34 -0700 (PDT)
Received: from mtagate1.uk.ibm.com (mtagate1.uk.ibm.com [194.196.100.161]) by ietfa.amsl.com (Postfix) with ESMTP id B05E821F884E; Fri, 1 Jul 2011 01:10:32 -0700 (PDT)
Received: from d06nrmr1507.portsmouth.uk.ibm.com (d06nrmr1507.portsmouth.uk.ibm.com [9.149.38.233]) by mtagate1.uk.ibm.com (8.13.1/8.13.1) with ESMTP id p618AUoA017172; Fri, 1 Jul 2011 08:10:30 GMT
Received: from d06av11.portsmouth.uk.ibm.com (d06av11.portsmouth.uk.ibm.com [9.149.37.252]) by d06nrmr1507.portsmouth.uk.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id p618AUiF2662480; Fri, 1 Jul 2011 09:10:30 +0100
Received: from d06av11.portsmouth.uk.ibm.com (loopback [127.0.0.1]) by d06av11.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id p618AUms012762; Fri, 1 Jul 2011 02:10:30 -0600
Received: from d06ml093.portsmouth.uk.ibm.com (d06ml093.portsmouth.uk.ibm.com [9.149.104.171]) by d06av11.portsmouth.uk.ibm.com (8.14.4/8.13.1/NCO v10.0 AVin) with ESMTP id p618ATlt012756; Fri, 1 Jul 2011 02:10:29 -0600
In-Reply-To: <B26C1EF377CB694EAB6BDDC8E624B6E723143605@CH1PRD0302MB115.namprd03.prod.outlook.com>
References: <B26C1EF377CB694EAB6BDDC8E624B6E723143605@CH1PRD0302MB115.namprd03.prod.outlook.com>
X-KeepSent: 1842DF5A:C0E86296-802578C0:002CB04D; type=4; name=$KeepSent
To: Anthony Nadalin <tonynad@microsoft.com>
X-Mailer: Lotus Notes Release 8.5.1FP5 SHF29 November 12, 2010
Message-ID: <OF1842DF5A.C0E86296-ON802578C0.002CB04D-802578C0.002CE7FE@ie.ibm.com>
From: Mark Mcgloin <mark.mcgloin@ie.ibm.com>
Date: Fri, 01 Jul 2011 09:09:52 +0100
X-MIMETrack: Serialize by Router on D06ML093/06/M/IBM(Release 8.0.2FP6|July 15, 2010) at 01/07/2011 09:09:52
MIME-Version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: base64
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>, oauth-bounces@ietf.org
Subject: Re: [OAUTH-WG] Native Application Text
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jul 2011 08:10:34 -0000
This assumes we support the authorization code grant type without client authentication. See http://www.ietf.org/mail-archive/web/oauth/current/msg06816.html and many other contributions on the same topic Regards Mark oauth-bounces@ietf.org wrote on 29/06/2011 02:15:10: > From: > > Anthony Nadalin <tonynad@microsoft.com> > > To: > > "OAuth WG (oauth@ietf.org)" <oauth@ietf.org> > > Date: > > 29/06/2011 02:15 > > Subject: > > [OAUTH-WG] Native Application Text > > Sent by: > > oauth-bounces@ietf.org > > 9. Native Applications > > A native application is a client which is installed and executes on > the end-user's device (i.e. desktop application, native mobile > application, etc.). Native applications may require special > consideration related to security, platform capabilities, and > overall end-user experience. The following are examples of how > native applications may utilize OAuth: > > o Initiate an Authorization Request using an external user- > agent: The native application can capture the response from the > authorization server using a variety of techniques such as the use > of the various methods for redirection including a URI identifying a > custom URI scheme (registered with the operating system to invoke > the native application as handler), manual copy-and-paste, running a > local webserver, browser plug-ins, or by providing a redirection URI > identifying a server-hosted resource under the native application's > control, which in turn makes the response available to the native application. > o Initiate an Authorization Request using an embedded user- > agent: The native application obtains the response by directly > communicating with the embedded user-agent. Techniques include > monitoring state changes emitted during URL loading, monitoring http > headers, accessing the user-agent's cookie jar, etc. > > When choosing between launching an external user-agent and an > embedded user-agent, native application developers should consider > the following: > > o External user-agents may improve completion rate as the end- > user may already have an active session with the authorization > server removing the need to re-authenticate, and provide a familiar > user-agent user experience and functionality. The end-user may also > rely on extensions or add-ons to assist with authentication (e.g. > password managers or 2-factor device reader). > o Embedded user-agents may offer an improved end-user flow, as > they remove the need to switch context and open new windows. > o Embedded user-agents pose a security challenge because end- > users are authenticating in an unidentified window without access to > the visual protections found on by many of the external user-agents. > Embedded user-agents educate end-user to trust unidentified requests > for authentication (making phishing attacks easier to execute). > > When choosing between implicit and authorization code grant types, > the following should be considered: > > o Native applications that use the authorization code grant type > flow SHOULD do so without using client password credentials, due to > the native application’s inability to keep those credentials secure. > o When using the implicit grant type flow a refresh token is notreturned > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Native Application Text Anthony Nadalin
- Re: [OAUTH-WG] Native Application Text William J. Mills
- Re: [OAUTH-WG] Native Application Text Mark Mcgloin
- Re: [OAUTH-WG] Native Application Text Anthony Nadalin
- Re: [OAUTH-WG] Native Application Text Eran Hammer-Lahav