Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
John Bradley <ve7jtb@ve7jtb.com> Thu, 26 January 2017 18:00 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1D7F1298D3 for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2017 10:00:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rech8ERnHZN1 for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2017 10:00:23 -0800 (PST)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7E9B1298BA for <oauth@ietf.org>; Thu, 26 Jan 2017 10:00:22 -0800 (PST)
Received: by mail-io0-x22d.google.com with SMTP id v96so42815557ioi.0 for <oauth@ietf.org>; Thu, 26 Jan 2017 10:00:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eqG9/hYBOdpcty8HMZBD+8Rq0823GB7kqigKereyJu0=; b=Z1ydT9AUM+IykL7DDQU3Zslyb/9eIcU+vCX8Hd6YTWcSxr3XVHDuHuXZDtjpsJFFS1 XB9wNnY2/b10gHErfNgKoBKK83My57jPxKyCO0r3fCFmd41+tdc25Uf3qWKwNNBpYqgg MrdFwXuLkk2q5YEbyD48W0TntMJAamsmc3/WE3fxrhRrxxeYjyuxqCNoiCzxm7ESaj7g DzXEH6YI+o69ZvtgOhX9xbzL1wdJKQR6FC4v55ABLRX/bTnn4V5/PsGGNANv/ljOlzBM vPGWiikNfNANX2iSXlDe/9oJoTEEMuBhgP/DbwHCqAAesct8KRLQCg0iEli0H+tTVByZ 6GYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eqG9/hYBOdpcty8HMZBD+8Rq0823GB7kqigKereyJu0=; b=d9nAlL6niuVVS25+fTrgVI++T2x4C3X/qOc4+acxP4fDn8xxlXMq3gwi8qiLE86V4r BqIQaVOniXvaWIFOo29sz06g+IMPkX8g51a57napoUhbIyOgEcxjJ91jbrrCxNmVQB/R Jp1X1wMDAbRn32EHFyAtuhUzZayoXnS2+1gCnus3+RK360PKzLjC9A6qWRGXt//AAHuM WVRdHzsNSAlx/xB2iQeQmfEO1kSJb3Gab6xej0HcQ+hDAemk7Vo5NCoSyKrqp4JNFoC5 egTuhIWg0+n8WLE3pbZZuzQ9/7df8yEv1q6SNNdjzsq4wHiqls2khjrw1Yy2WFzBzqU7 Rk1A==
X-Gm-Message-State: AIkVDXI0q3uywvqvf6QnqRAlU3+kfT7XT0gOTebewijPB0IfgLV/dRGDd0UKVObEnusM0O5GS2afU8aeCIHwgRUe
X-Received: by 10.107.140.193 with SMTP id o184mr4052427iod.17.1485453621904; Thu, 26 Jan 2017 10:00:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.150.207 with HTTP; Thu, 26 Jan 2017 10:00:21 -0800 (PST)
X-Originating-IP: [64.114.255.114]
Received: by 10.79.150.207 with HTTP; Thu, 26 Jan 2017 10:00:21 -0800 (PST)
In-Reply-To: <be34721f2dbd38434edadcef5658131a@nleyten.com>
References: <ffc794a133b4b5fb341a0590c6848034@nleyten.com> <5889010c.06d0620a.31d79.5dd8@mx.google.com> <CA+k3eCQ69_+7JEZN30OpOwfW-cy1Dmu6-K84geLLvrjWxpt=7A@mail.gmail.com> <823CE48E-D778-4704-B13D-B6C302ED14D6@oracle.com> <093116990b28d9837f42a7477fc09d80@nleyten.com> <CAANoGhKON-a22CjHTGe3AsSGR=epFZ_YLpKSt9DzrcZ1fY6mPA@mail.gmail.com> <be34721f2dbd38434edadcef5658131a@nleyten.com>
From: John Bradley <ve7jtb@ve7jtb.com>
Date: Thu, 26 Jan 2017 15:00:21 -0300
Message-ID: <CAANoGh+YdPhvpNfPcWcQVKF1iO+jdrtPMVRRiTp2+GUq2LCD4A@mail.gmail.com>
To: Dario Teixeira <dario.teixeira@nleyten.com>
Content-Type: multipart/alternative; boundary="94eb2c0635b876e5b50547031fc7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/GMPZlGshvI5btZHotoxp9M7xNbg>
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2017 18:00:25 -0000
Justin and I are recommending different approaches. My recommendation is that your app do appAuth to your server to get a access token for your API. Your server performs openid connect to google, SAML to salesForce or Facebook Connect to Facebook and manages verification keys. If the user is authenticated by the IdP it then authorizes your app on the device to access your API. Justin is recommending that you build a client/relying party for each IdP into your native app and pass the results of authentication ID_token, Facebook signed request etc to your back end server for it to verify and issue some cookie or webkey (probably not OAuth token) to your App for accessing your API. My recommendation allowed you to protect your API using OAuth and to add or modify IdP for your users without redeploying your native app. Justin's approach avoids you needing to run a OAuth authorization server. ( He has a great open source one you could use). I think it is a style diffrence. I think separating authorization and authentication into two steps is cleaner and easier to maintain over the long term. John B. On Jan 26, 2017 8:51 AM, "Dario Teixeira" <dario.teixeira@nleyten.com> wrote: > Hi, > > https://tools.ietf.org/html/draft-ietf-oauth-native-apps [2] >> >> They are OpenID foundation library's not Google's. Google, Ping and >> a number of others are active contributors if you look at the git >> repositories. >> > > Thanks for the link. Perhaps I'm missing something, but the AppAuth > pattern as described by this document represents only half the picture: > at the end of the interaction, the native app is in possession of a > token that authenticates the user. However, my server cannot accept > that token blindly! > > Now, the way I would solve this is by keeping a hard-coded list of > OpenID Provider public keys on my server, which I would use to > verify that the token was indeed signed by the OIP. Correct me > if I'm wrong, but this also seems to be the recommended approach, > right? > > Thanks again for your time! > Best regards, > Dario Teixeira > >
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- [OAUTH-WG] OAuth2/OIDC for client-server mobile a… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Justin Richer
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Brian Campbell
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb