IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization handover from mobile app to website

George Fletcher <gffletch@aol.com> Fri, 12 March 2021 20:37 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 412D73A1259 for <oauth@ietfa.amsl.com>; Fri, 12 Mar 2021 12:37:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aol.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QdoBxWTORPb for <oauth@ietfa.amsl.com>; Fri, 12 Mar 2021 12:37:48 -0800 (PST)
Received: from sonic302-22.consmr.mail.ne1.yahoo.com (sonic302-22.consmr.mail.ne1.yahoo.com [66.163.186.148]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70EB93A1257 for <oauth@ietf.org>; Fri, 12 Mar 2021 12:37:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aol.com; s=a2048; t=1615581467; bh=thOdwoEusmKwOXX88noZgid58JXddwhzP66tEgv/tMo=; h=Subject:To:References:From:Date:In-Reply-To:From:Subject:Reply-To; b=leqH0T3VnRkIQ9c200JUJoECYVykDGr9gi8+rIjP7ZDLUqqDteBGDB3a24n2j3oZOHVw6Y2SfRmt19U4Nd22KBSYbAXnYKCgAzyr4RqKCVIl1pwDJq/bKwIfbJuUKFp3wtE/Ur4vYbHHY8/A2L7mUKOxRLyepiJLUQ1z6R4Zq/pSxZ2KCwvTR+RPq3z8CS22u91RMH1v++e4l/j9L+R3qNhWsO5f1bCgHv0GLUBFUxEj+ZLGTaLlDwTrM/helkZNQZEJfCEriXi6WlO+s/91F1yUnTAlK7aaB0vBNDRgL6/VxO9TwoB4yD+YlRQ037+ZfSmtLISJy2j8MvXkT/aQtg==
X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1615581467; bh=d15YRPE3Rl/iRPz5OMLa5XXjdiyAqgabHkWMlqDoMh0=; h=X-Sonic-MF:Subject:To:From:Date:From:Subject; b=RISxxPGrJUGm7gn+l1CL7Txju6oXgQE8hTQkHgXqwYAljOVNRi2AjMZRGAyjjI0Hasb44jarYc+1hdNPjDPrHkq4DIsxRdaVYR88uNeL6L8ebV4GoxN9O88+tLdyMknStBJaGKzgrr2jHL3VkJYxcsu2i9dQ1Ve897kAvOrhnqaxP6O2zhYM6ChlXLLDWtFcRsDWt6d1bH1S5H1+mzsnB3C68RuFtm/dxyZnNIRC35EEW33ZTMG2LS0qaxhlQ1/Otr4UR93caEHZHa9sFgVkcnZLkxjTYUyjosq0fJLMShsiKjkAzSbbQHpGN8q3gfC1+aWsSIaUFk0Qs1Y+7nLjJQ==
X-YMail-OSG: 2Xp4CWgVM1khPmQK67s3Eyjy.p5fp0vB_yWuqXHe.DwlYg8vm8IzSV_KJUoAPIT UhhVCRtPjAWdohzwyvmVcBuMHcvOwODoFV2zdjd7KFcqrdcZaXuoHWr.RC4GLKWQFNv382H5uTAR fSjnBxI8vFwiYTI9k2sPS4O2mWqb3aGvIrfgeAD5KkhxkOqM3Pmj8cklzdnIKjiIgEH_KQ7fjoO_ hGK7hs1wK2iI82Pi1mXeWQ35D7kSCLMp4ZLpVjvzsZE1WKgHtOK967e4US4ov2SWb7e8t2PMHjvG YcEdnKT2OHf.zdgsXnOdLzNOVw4w9a3zOYBkcZdVrfvQjzR4ZMoawFAgLDYh8rXhgqz1ForJIJri RQxI7BntX8ocV8pmNJOZ4pPkBI0c8QD_GcK7AQtr.2_06Mdh36Dl3ujs1Tff4rn_gp1KaAxD6na4 STqOa23r6KI1FGxMD2HiTaVbN57ef74TGX2CeowK.FcEGZWTUlX6FuELJCFJYDsWhy662j7CrGRS PbVGryMirrjFpAcfDhmGffj_KmCsS8hbdA5DzCXsuPs2M8QtRRTIY.O4ORcY0gVdhOJ9ioXUe8N. rqv3o3PyHHqBsHoBOstBhnBHc.mI4OxaGWQzCHWWTbmc.eWpCObdBAPGQTQFEd0ZeVHHsm3_.h2s IenJiH28._TZH__SrNeY.tFLT.zxwKtAQYjfTX3CJrmgHBYUj89mCO7BR_y9yNzABUKL0nbyX_o0 IqiBXFcq8pW9PlwMaV9Bcslz4lGPMob1K0DPYwRLv0f6y2U3SUzmpA9EfkB_yWCPxJfYKf_0XbDX H2E0qFtfHxvwl3HSLPSIDNZf3WHPLp3m5VCNEx5lwqHiWevhgyHWKYqIHsQAxo.R14t55O9FzTmM xUtdjyTqRnUejYRjk9qh6MIylShIMSciGrZDI6ac6Gs2hQi8eKz9vWFcD4mxrLYjxJOH1Q2QqHr4 b4MtSNedEW9iHLqDIraJdv3fY4eag8bWZPaoKJirCXtjXDuCFRAg1OfgqxaPOpTkDQL2VqpkoqKd kQcTClvtTDGvul6GnyaURC_4AcJ60Bqb1tUnufg1POi4ZD_zw72H_3_5uNC1BaSBIbgmRtICjZ.b 5undTaS7jR_JwdWi9.DQN7gdp_nPYY1U80tLUs5ViBIZSw.rP2O5seEfFMftzmXn2gzD42Vs7NMf CRM9E7XdZ1PpFdhAf4tgd6boRi.iDyz_WNxA7fNOKbBYeLmwbEOkOGRhb7oFglpl6PubvyfXufvD iUO4gQgZj2eBBAdVRYrXsew7wYCEkHMpT7ywdxeKTSqDkDf4lmOXdMEDmaFFLq0szcAqUFMR.h3G vj0oWjxtD6a5u8OEvAAiFQlp5wSRE.mynmxNlSoW3I_wEjFaUUCc9t9pa1yE2UUte70LyAo0v0m6 yQMmddr92mY1sdBnfFwzy2W.EjZWk6cY4sglf8DMHyy5r.o0g7gzgB5b1NZD2xpiftY0lPTZ.vHS BrapACUxnIR8faScH4gUoBHvKiNCM3wRoVkC37vf_Y_YwU2hTke0NCfeE0w_ZOD3zFyP324eDWYK UFEHnIjXJ5flGB.stWn.hQEngrbGIyc879jEe93oiXoSTaV7ZTLoaBScu8x4_JhQmiFQ0ZhPzh2l 0SzhaaQfZ4p5HRkxBUETbYnoijDhpqWkigYbTC1VVwJkkvwmJ39bE0Xr14CwWzxRd7iqipRSyiXO 7v4UaAkOvVl1yZQmCyBMdN4NQFFZRs6xjop9j5xICYXX0zcjemK7yZJClkxQELEv8lRPwBRQLvRp 4hYWyWEFiS6gU4SulymuaVXwLMu3IJObKo8OBiDRT2n9UQaMzV.v9_kEpyUXJlMiru6Kb6fyt1YQ Jjm06h1KCCa9IEOdJE6b0GpJzy4kq8BCPdt6NJGvJZK7_tuVhjnsa.rxHgEeiD5Eu51J8tCS.mZ3 sdCgxDkGQVX9SCvbk7Ffw0Y3B8vPhA34HYv.24wbvBUwlduvLP7E_q8NQzvM8YHBfQq98db9e3TZ 8AXN6QOAxqLykilXixko3N5i8Mp5jAgYDbwjhq6.0GOj4E0YUv0Y1yGZV_cVc3RO8Zjuo8c3GDRS TsYca_Zft0Grzk3NPxaBPTNUp3iPRZczthoc3C1m1lmMKkFEbv_hY2WD0.2vpkhn0Xq6fntKaIXH bsRgV93tFYJ7adlCEPK53FBPZAp7BM_lpHUiNYCYz9ulZzp74CFZhC_Z4zyTrVEIHmg7Cqf_OWS9 oDwKcIRkxCayih.aN0.VP9zGsaue0UpJgjbIBTr9qPR6JXBsPFX5HIplqjry9VjwBCkCV7nbrNeH DNGTEsvzH37kWvJ70VTBRSedWmc5Aed1KRTRT3OscTJuN7FvaHhQaLdsNUadhRn2ZBUKxScBl9Yt IOsbVSOLllN_EOzOfowEZEDqwMDVLkoNy0zk-
X-Sonic-MF: <gffletch@aol.com>
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.ne1.yahoo.com with HTTP; Fri, 12 Mar 2021 20:37:47 +0000
Received: by smtp420.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 88c4cb62279303bce49c01132ec67753; Fri, 12 Mar 2021 20:37:43 +0000 (UTC)
To: "SOMMER, DOMINIK" <dominik.sommer@milesandmore.com>, "oauth@ietf.org" <oauth@ietf.org>
References: <AM0PR09MB2803A357A8B7E19CEC415A52F36F9@AM0PR09MB2803.eurprd09.prod.outlook.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <6612ea71-5de3-915c-f22d-3494f833cbea@aol.com>
Date: Fri, 12 Mar 2021 15:37:41 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <AM0PR09MB2803A357A8B7E19CEC415A52F36F9@AM0PR09MB2803.eurprd09.prod.outlook.com>
Content-Type: multipart/mixed; boundary="------------74EF7E83AE2E455F050F7C4C"
Content-Language: en-US
X-Mailer: WebService/1.1.17936 mail.backend.jedi.jws.acl:role.jedi.acl.token.atz.jws.hermes.aol Apache-HttpAsyncClient/4.1.4 (Java/11.0.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MGZCVbp1COw-bJxBVU8s2JFnDxM>
Subject: Re: [OAUTH-WG] Authorization handover from mobile app to website
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 20:37:51 -0000

I can't find a record of sending this to the list, but I wrote this ID 
back in 2013 and we've implemented it. At the time I did vet it with a 
few people. Hopefully it might be helpful :)

Thanks,
George

On 3/12/21 1:18 PM, SOMMER, DOMINIK wrote:
>
> Hi all,
>
> we have recently launched a mobile app that uses our website’s login 
> and authorization code flow to authenticate and authorize user access 
> (following RFC8252).
>
> However, not all of our website features are natively ported to the 
> app itself. Some are only available on the website in logged-in state. 
> That’s why we implemented an authorization handover mechanism based on 
> one-time login codes: This allows the app (in logged-in state) to open 
> a web view and hand over authentication & authorization, effectively 
> logging the user in on the website. This achieves a seamless 
> experience for the user without compromising on security.
>
> We came up with this mechanism after researching for prior practice, 
> but we couldn’t find anything applicable for this scenario.
>
> Hence, three questions to the list:
>
> 1. Did we miss anything in our research? Is there a common best 
> practice available?
>
> 2. If the answer to 1. is “No”, would the working group appreciate an 
> RFC draft describing the solution we came up with? (We’d be eager for 
> comments to make it even more secure J)
>
> 3. If the answer to 2. is “Yes”, can someone point me to documentation 
> on the procedure, if such exist?
>
> Thanks for your support and
>
> best regards,
>
> Dominik
>
>
> Sitz der Gesellschaft / Corporate Headquarters: Miles & More GmbH, 
> Frankfurt am Main, Registereintragung / Registration: Amtsgericht 
> Frankfurt am Main HRB 116409
> Geschaeftsfuehrung / Management Board: Sebastian Riedle, Dr. Oliver 
> Schmitt
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Identity Standards Architect
Verizon Media                     Work: george.fletcher@oath.com
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography

v2.23.0 | Report a Bug | By Email