[OAUTH-WG] Re: Call for adoption - First Party Apps

Neil Madden <neil.e.madden@gmail.com> Wed, 04 September 2024 21:45 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3366DC1D6219 for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 14:45:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.112
X-Spam-Level:
X-Spam-Status: No, score=-1.112 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDYCRtcpPRBE for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 14:45:23 -0700 (PDT)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC977C1D6FAC for <oauth@ietf.org>; Wed, 4 Sep 2024 14:45:22 -0700 (PDT)
Received: by mail-ed1-x536.google.com with SMTP id 4fb4d7f45d1cf-5c3c34e3c39so138853a12.2 for <oauth@ietf.org>; Wed, 04 Sep 2024 14:45:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725486321; x=1726091121; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=7Bvi0jH3Boi4+PmYLukPpBfzbYhfm4k0dTNt8UyCJEQ=; b=fcJVDEM9r6UeInTmNXzML+pMSdeKKN8f4aAG6h/8dJ/hr1LW0+UIms2yvIg9gcPLdi FIujtK465/eoj20TutpfF/YbvtiXziVv3QZ+UTzpb3ioyCu9XkmrTTarfi4uG1hjtpBL CS+n+ryKC+rxLzXtYlAuiu/4lVt0qa2iwR/BlmqkRCLJ/7jQMFOyI5zPYk6r0oWhkQcg YqpYIqNg5n+k59X3fr6FvDbCUw+WJX93icWskCHNHOOA/Ue88vTim4AYeSaJxVM4Cavo gRCSU5MaJecJ7FhyfZER97qbtUKnPmPcbvb7JvC9+Mrk+KkbmbQZ6ZZyZ1O4MIR/G2G+ WgNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725486321; x=1726091121; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7Bvi0jH3Boi4+PmYLukPpBfzbYhfm4k0dTNt8UyCJEQ=; b=KpOkpJkehsSh2DeYYddabG4OJu4NeE6AXF6Jhbcmxk73Zg6oSbSSV6Ox2qDZFCwFGy ZX25z3c5ve3eGqdwJRddPGH15yORkohgq+cARa9Z4038b0/rNOD5o7JSdeRjBU8xd+b9 865DtzLlxCVoymWqn9IZ+umbkss6PxINc8hmLNhcwl/nEa6VtH7j4brKgqmUVYGGByme OOtYD9ZtuR6vk9Zf4qiUo/c29D6JoMXvf6aF8GxPvjgQkam+RgbWnas55/EPVIK4g6UZ gGFAQfLeipWLDS7nEuSROaeKBsQn30we/sfPeC0vwHHkDFVcEDlVNQ+sRK1taPkkMWaU OWyg==
X-Forwarded-Encrypted: i=1; AJvYcCVh2kspdGXUS3XF3m+YWm+6LGhelx3bYQTXGRgS2B3sIiga0EZRYr7d7tLNhBArWBx6Wq8A8Q==@ietf.org
X-Gm-Message-State: AOJu0YzP6mHQ5cMJMtLKdy7Ms68ARrZ1Z+WnkxunWBqlWZk2UDhhlb8x u0vzNpSdU15yU0fKNDHDIDImLk6i66eT3sdudKHu9yx+td4H/IWwsIpzcvmf
X-Google-Smtp-Source: AGHT+IEQwby9wVz546GfJEpr+3Pwm1Gx+jwkeF7RXi18UZlY9sBmFp2Vz5d5gGfw3goDMNe/6ef9Rg==
X-Received: by 2002:a05:6402:2753:b0:5c0:c223:48a1 with SMTP id 4fb4d7f45d1cf-5c243741935mr12776737a12.21.1725486320581; Wed, 04 Sep 2024 14:45:20 -0700 (PDT)
Received: from smtpclient.apple ([2a00:23ee:2280:3abf:5465:eb2a:59f8:b0e4]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5c3cc56a483sm365093a12.46.2024.09.04.14.45.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Sep 2024 14:45:16 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-7F92C464-0497-4D44-A36F-49286B77E60A"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Wed, 04 Sep 2024 22:45:02 +0100
Message-Id: <A0B7EF07-EB69-41F9-B974-BBBB129726D6@gmail.com>
References: <CACZ9TyDXYhrQpe1H=53-U7p+fqK9u-z2JX5O=TCg=L5X76oLHQ@mail.gmail.com>
In-Reply-To: <CACZ9TyDXYhrQpe1H=53-U7p+fqK9u-z2JX5O=TCg=L5X76oLHQ@mail.gmail.com>
To: Tim Cappalli <tim.cappalli@okta.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: HJGGSF53GRS5QTIY5S552WQSAJURPBXG
X-Message-ID-Hash: HJGGSF53GRS5QTIY5S552WQSAJURPBXG
X-MailFrom: neil.e.madden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IQIBvas8uLmQ3Ku3-OeXdrc2kFw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>



On 4 Sep 2024, at 21:31, Tim Cappalli <tim.cappalli@okta.com> wrote:

Thanks, that’s good to know. Does it preserve phishing resistance? Ie the app cannot spoof the rpId?

The WebAuthn client for native apps is the app platform. The app platform, aka the OS, handles origin binding using existing app to web domain association methods (https://developers.google.com/identity/credential-sharing/set-up" rel="nofollow">Android Asset Links, https://developer.apple.com/documentation/xcode/supporting-associated-domains" rel="nofollow">Apple Associated Domains) . This is used for both embedded WebViews and native app platform APIs. For System WebView, the WebAuthn client is the web platform, just like a browser (WebView details: https://passkeys.dev/docs/reference/android/#webviews" rel="nofollow">Android, https://passkeys.dev/docs/reference/ios/#webviews" rel="nofollow">iOS, https://passkeys.dev/docs/reference/macos/#webviews" rel="nofollow">macOS).

I can see how that works for iOS and Android, where apps are sandboxed. But can’t a macos/Windows/Linux app bypass the “official” WebAuthn API and just talk CTAP directly to a USB authenticator? (You used to even be able to do this from the browser: https://www.yubico.com/support/security-advisories/ysa-2018-02/" rel="nofollow">https://www.yubico.com/support/security-advisories/ysa-2018-02/). 

Or is the intent to limit the spec to sandboxed apps? (If so, some kind of attestation to ensure the app actually is sandboxed seems a good idea). 


— Neil

So, long story short, yes. 

On Wed, Sep 4, 2024 at 12:41 PM Neil Madden <neil.e.madden@gmail.com> wrote:


On 4 Sep 2024, at 17:09, Aaron Parecki <aaron@parecki.com> wrote:


A native UI does not rule out WebAuthn/FIDO, in fact we have an in-progress branch of the draft that shows how you could support passkeys with this spec: https://github.com/aaronpk/oauth-first-party-apps/pull/93" target="_blank" rel="nofollow">https://github.com/aaronpk/oauth-first-party-apps/pull/93

Thanks, that’s good to know. Does it preserve phishing resistance? Ie the app cannot spoof the rpId?


While there isn't an RFC for authenticating first-party apps, there is plenty of precedent for doing so already using the Apple and Android APIs. There is an adopted in-progress draft that could standardize this as well: https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/__;!!PwKahg!9rA-xLjriUl902lceiCiH6n9dEH_lrJR24HFJDPOKfVVmrh85ruqzBatSp5qEOCG1imuRFPrUerw6WixDMIB5LFQ$" target="_blank" rel="nofollow">https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/

Also good to know. Is the intent to restrict the draft to just mobile apps (and ones with secure enclaves?), or also desktop?

I’d be a lot more comfortable with the draft if this SHOULD in section 1.1 became a MUST:

 This specification MUST NOT be used by third party applications, and the authorization server SHOULD take measures to prevent use by third party applications. (e.g. only enable this grant for certain client IDs, and take measures to authenticate first-party apps when possible.)”

— Neil


Aaron

On Wed, Sep 4, 2024 at 7:37 AM Neil Madden <neil.e.madden@gmail.com> wrote:
I am a bit skeptical about this one. I’m not convinced we should be recommending native UI until/unless we have a really good story around authenticating first-party apps. Without such a story, I don’t think this should be adopted. Unless I’m mistaken, a native UI also rules out WebAuthn/FIDO-based authenticators? We should not be adopting drafts that increase phishing risks for the sake of aesthetics.

— Neil

On 3 Sep 2024, at 11:46, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:

All,

As per the discussion in Vancouver, this is a call for adoption for the First Party Apps draft:
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/__;!!PwKahg!9rA-xLjriUl902lceiCiH6n9dEH_lrJR24HFJDPOKfVVmrh85ruqzBatSp5qEOCG1imuRFPrUerw6WixDO9Lta0Z$" target="_blank" rel="nofollow">https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/

Please, reply on the mailing list and let us know if you are in favor or against adopting this draft as WG document, by Sep 17th.

Regards, 
 Rifaat & Hannes
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org