IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Sat, 28 January 2017 01:45 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C797129B61 for <oauth@ietfa.amsl.com>; Fri, 27 Jan 2017 17:45:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.417
X-Spam-Level:
X-Spam-Status: No, score=-7.417 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bL8ffneRGIIQ for <oauth@ietfa.amsl.com>; Fri, 27 Jan 2017 17:45:31 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD58E12941D for <oauth@ietf.org>; Fri, 27 Jan 2017 17:45:31 -0800 (PST)
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v0S1jUh8004750 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 28 Jan 2017 01:45:30 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v0S1jThB001953 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sat, 28 Jan 2017 01:45:30 GMT
Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v0S1jTjH007112; Sat, 28 Jan 2017 01:45:29 GMT
Received: from [25.248.207.127] (/24.114.41.213) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Fri, 27 Jan 2017 17:45:28 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail-1559A4A9-C400-4F03-9598-C4D8859DE3C5"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14C92)
In-Reply-To: <588bf27e.c16f630a.5cac3.9bb1@mx.google.com>
Date: Fri, 27 Jan 2017 17:45:24 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <E0830F7E-7AD3-4DD8-87F3-663BF9F48BA1@oracle.com>
References: <ffc794a133b4b5fb341a0590c6848034@nleyten.com> <5889010c.06d0620a.31d79.5dd8@mx.google.com> <CA+k3eCQ69_+7JEZN30OpOwfW-cy1Dmu6-K84geLLvrjWxpt=7A@mail.gmail.com> <823CE48E-D778-4704-B13D-B6C302ED14D6@oracle.com> <093116990b28d9837f42a7477fc09d80@nleyten.com> <CAANoGhKON-a22CjHTGe3AsSGR=epFZ_YLpKSt9DzrcZ1fY6mPA@mail.gmail.com> <be34721f2dbd38434edadcef5658131a@nleyten.com> <CAANoGh+YdPhvpNfPcWcQVKF1iO+jdrtPMVRRiTp2+GUq2LCD4A@mail.gmail.com> <b9d02304725cc8e646cb68b682809328@nleyten.com> <CAANoGhJ0ojaEV8FNvtuOhyRMMeX6rp3sieyvqdRhoU-EDo3hFw@mail.gmail.com> <d5385881b1aeb7d87146cc2b22027799@nleyten.com> <588bf27e.c16f630a.5cac3.9bb1@mx.google.com>
To: ve7jtb@ve7jtb.com
X-Source-IP: userv0022.oracle.com [156.151.31.74]
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Gm_luVvzRmajyMR_0JTT2uAbR14>
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jan 2017 01:45:33 -0000

What is concerning is that many are using resource owner flow so the client app can capture the uid/password under the assumption that the client needs to control the branding experience much has been done in silo approaches of the past. 

Adding to the confusion I note that many of the cloud provider site docs do not clearly distinguish mobile apps from web apps. Mobile app developers arw reading docs and telling me that oracle, google, and azure require the mobile app to register for an openid client id. 

Near as I can tell it is confusion over the difference between authz and authN. 

Phil

> On Jan 27, 2017, at 5:23 PM, ve7jtb@ve7jtb.com wrote:
> 
> It sounds like you are currently doing something like the OAuth resource owner flow.
>  
> Is there a Authorization server currently associated with your resource server?
>  
> If so you can change the OAuth flow you are using to the code one as described in App Auth.
>  
> You still need to authenticate the users at your server using the current  username and password or via OpenID Connect to Google.
>  
> This is a two step process.  If you try to combine them by trying to make your NA the connect client you may save a step in the short term but will regret it in the long term when you decide to add another identity provider like Microsoft etc.
>  
>  
> OAuth from the NA to your server to authorize the native app, and your server to Google via Connect to Authenticate the user.
>  
> Regards
> John B.
>  
>  
>  
>  
> Sent from Mail for Windows 10
>  
> From: Dario Teixeira
> Sent: January 27, 2017 9:16 AM
> To: John Bradley
> Cc: Phil Hunt; IETF oauth WG
> Subject: Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
>  
> Hi,
>  
> Thanks for your reply and your patience!
>  
> > Our recommendations are based on the assumption that the end state
> > is your app having an access token for your rest API.
> > If that is not what you are trying to do then we may be talking at
> > cross purposes.
>  
> Yes, that is exactly the end state I'm looking for, though there
> is a chance there is some misunderstanding about the whole picture.
> Allow me to summarise the current situation:
>  
> Users interact with a Native App (NA) running on a mobile phone.
> This app talks with a Resource Server (RS) via a RESTful API.
> Because there is private user data on the RS, the very first
> interaction between the NA and the RS is a login where the NA asks
> the user for an email+password combination, which it then sends
> to the RS.  If the email+password combination is valid, the RS
> replies with an access token that must be used by the NA in all
> its future requests.
>  
> This works fine, but has the disadvantage of requiring users to
> manually enter their email and password. The user experience would
> be much improved if users had the option to login using their Google,
> Facebook, or Github account.
>  
> Now, it is my understanding that OpenID Connect is the technology
> used nowadays to provide this sort of Single Sign-On.  All I'm
> looking for is documentation on how OIDC is actually implemented
> in this scenario.
>  
> Best regards,
> Dario Teixeira
>  
>

v2.23.0 | Report a Bug | By Email