Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 25 January 2017 21:07 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 109E3129BFA for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 13:07:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.757
X-Spam-Level:
X-Spam-Status: No, score=-3.757 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-1.156, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mvZcpwehqyrc for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 13:07:23 -0800 (PST)
Received: from smtprelay06.ispgateway.de (smtprelay06.ispgateway.de [80.67.18.29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AE82129BF8 for <oauth@ietf.org>; Wed, 25 Jan 2017 13:07:22 -0800 (PST)
Received: from [87.143.172.172] (helo=[192.168.71.161]) by smtprelay06.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1cWUmj-0000rj-TI; Wed, 25 Jan 2017 22:07:17 +0100
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-Id: <FF6CC1BD-8F92-414A-9E10-7A076A6E261F@lodderstedt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2EEBDF87-E555-49A2-B698-719826912EF6"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 25 Jan 2017 22:07:15 +0100
In-Reply-To: <823CE48E-D778-4704-B13D-B6C302ED14D6@oracle.com>
To: Phil Hunt <phil.hunt@oracle.com>
References: <ffc794a133b4b5fb341a0590c6848034@nleyten.com> <5889010c.06d0620a.31d79.5dd8@mx.google.com> <CA+k3eCQ69_+7JEZN30OpOwfW-cy1Dmu6-K84geLLvrjWxpt=7A@mail.gmail.com> <823CE48E-D778-4704-B13D-B6C302ED14D6@oracle.com>
X-Mailer: Apple Mail (2.3259)
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HWYndoSw5GQwDnS931TLkdL5Vk0>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2017 21:07:28 -0000

+1

> Am 25.01.2017 um 21:32 schrieb Phil Hunt (IDM) <phil.hunt@oracle.com>:
> 
> +1 to AppAuth
> 
> One disturbing pattern I see for mobile apps relaying the idtoken is that the aud isn't checked by the AS in the Oauth exchange. This in part caused by the fact that the mobile app has two client-id identifiers. If the aud only has the clientid for the OIDC call this can be a problem if the AS doesn't know what that id is (since it didnt issue the id). If the issued id token does not have an aud value the AS can recognize it should be rejected.
> 
> Phil
> 
> On Jan 25, 2017, at 12:24 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com>> wrote:
> 
>> +1 to the AppAuth pattern
>> 
>> On Wed, Jan 25, 2017 at 12:48 PM, <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>> wrote:
>> There are a number of patterns that people use.
>> 
>>  
>> 
>> I prefer the AppAuth pattern where the native app is a OAuth client to your server and you are protecting your API with OAuth.   Your AS becomes a Connect/SAML/Twitter auth/ Facebook etc relying party and uses federated or local authentication to issue tokens.  (this gives your backend API access to user info)
>> 
>>  
>> 
>> The other pattern is for the native app to be a Connect client to Google or other IdP and then passes a id_token (not access token) to your backend in some secure manor and your backend validates the signature on the id_token and that it was issued to your client (verification is essential) (the native app gets access to user info api)  You still have the problem of how you secure your API, as you need to exchange the validated id_token with something.   I thnk that doing this securely winds up being more complicated than the first option.
>> 
>>  
>> 
>> There are other options that may not be allowed by the IdP where your backend is the Connect client and has a client secret.  The mobile app makes the request and gets the code back.   It then sends code and pkce verifier to it’s backend and the server exchanges it with it’s secret to get a id_token and access token.   You still need to add security for your API.  (custom scheme redirects for confidential clients may not be allowed depending on the Connect IdP)
>> 
>>  
>> 
>> I think the first option is the best design that gives the best long term design as new IdP can be added without changing the deployed app.
>> 
>>  
>> 
>>  
>> 
>> John B.
>> 
>>  
>> 
>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10
>> 
>>  
>> 
>> From: Dario Teixeira <mailto:dario.teixeira@nleyten.com>
>> Sent: January 25, 2017 7:59 AM
>> To: oauth@ietf.org <mailto:oauth@ietf.org>
>> Subject: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
>> 
>>  
>> 
>> Hi,
>> 
>>  
>> 
>> I am building a mobile app and a server.  The mobile app fetches
>> 
>> user-specific data from the server, and therefore some sort of
>> 
>> authentication is required.  I would like to avoid the traditional
>> 
>> username+password scheme, and instead allow users to login via
>> 
>> Google or Facebook.  It seems the OAuth2-based OpenID Connect (OIDC)
>> 
>> is the recommended solution nowadays, so my question is about the
>> 
>> usage of OAuth2/OIDC in this scenario.
>> 
>>  
>> 
>> All OIDC docs and tutorials describe the interaction between three
>> 
>> parties: a Relying Party (RP), a User Agent (UA), and an OIDC
>> 
>> Provider (OIP).  There are however four parties in my scenario:
>> 
>> the mobile app, the server, the UA, and the OIP.  Which should
>> 
>> take the role of RP? I see two different ways to do this:
>> 
>>  
>> 
>> 1) The mobile app is the RP.  It even takes care of starting a
>> 
>>     small web server to receive the data from the OIP.  At the end
>> 
>>     of the interaction, the mobile app has a JWT signed by the OIP,
>> 
>>     which it sends to the server, which must validate it using a
>> 
>>     built-in list of OIP public signatures.
>> 
>>  
>> 
>> 2) The server is the RP.  When the user wishes to login, the mobile
>> 
>>     app asks the server about the OIP's authorization endpoint.
>> 
>>     The server provide the client with an URI whose redirect_uri
>> 
>>     parameter points to the server.  All subsequent steps are
>> 
>>     handled by the server.
>> 
>>  
>> 
>> Anyway, this seems like a fairly common scenario, and I would rather
>> 
>> follow some best-practices documentation instead of cooking up my
>> 
>> own schemes, like points 1 and 2 above.  Therefore, if there is
>> 
>> indeed such documentation, could someone please point me towards it?
>> 
>> And if not, which would be the recommended route, 1 or 2?
>> 
>>  
>> 
>> Thanks in advance for your attention!
>> 
>> Best regards,
>> 
>> Dario Teixeira
>> 
>>  
>> 
>> _______________________________________________
>> 
>> OAuth mailing list
>> 
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>>  
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org <mailto:OAuth@ietf.org>
>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth