Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
William Denniss <wdenniss@google.com> Fri, 03 March 2017 02:13 UTC
Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28C341293FF for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2017 18:13:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7a_DIgRJk8Dv for <oauth@ietfa.amsl.com>; Thu, 2 Mar 2017 18:13:44 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BF1E1293EB for <oauth@ietf.org>; Thu, 2 Mar 2017 18:13:44 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id n127so155452480qkf.0 for <oauth@ietf.org>; Thu, 02 Mar 2017 18:13:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lS06K8oH7bo9E72gHlSxTIIkTtr6Bv0jdrES68dAf/Y=; b=h8pKty1dIawcy/GGXV2k1FjsPt1lj+RmiJjFVF4tCohaXB6URybt7DpTF/CAD39/Hx +8wBXuCxoapA9cf46+ukim67XWtCm0N6sj1BwBL2nNUzt8svfEWk2gqzgJF3EoHdC/4Q a99Ei3s+1Q/wxZLEqOk8UAhOk7WSDw0YP/E5fNGWkXEMJgGzolXGc+SUjAMkBZEQOZ3w +cIqPFKEvs0/xZWboH+LwDgqCDXPy9r920ImlqGyXfTSn+RHBkSfE+RPoh2sNH1Nngq9 l5LoLTQyLcvmTlTHLsWPGoNHPPptpljG5P6hxhce1sB+BPCMWspZJkNSPeONrVW8uk3K AR4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lS06K8oH7bo9E72gHlSxTIIkTtr6Bv0jdrES68dAf/Y=; b=dbJIWCouhZExW0Qx8jm7MAAMMaijd1S7sFDgaiy7dJUSAadOhGnzEOfGHj3ANDvvkS lRrPMXCUgGgrXm8jHedVD3uT/jixQ7sVwjggdoORfNUX4UqJnOvzHEJK62pZyDaSnRq3 hEVWcbgGp0zY56BNgeHCpr3JCeFiG0JwfEiwUWfsXoAvozRnrzEBKWgQNaEOrgVwpmg7 QUhp13MViiY8ASqOULlxWbKSseLtHa56csg8NtBfcYFtQ35XDeCE3kchN/p6JTz+ajjs xd6d0YS9SuSj//9oh6puoSojv794WXl6h/ZdNWmvsRyY8xIGSEqzfByCOWaYQJu2QsRJ dRwA==
X-Gm-Message-State: AMke39kFwSC3ctuQgCg3HWzUkDpNAhBuzJHd+nFDLDMAh1xi/OYLV1ducwildOiZ5bCoFA5NLenYCSVJQ4b9yRXa
X-Received: by 10.200.44.156 with SMTP id 28mr377389qtw.48.1488507223101; Thu, 02 Mar 2017 18:13:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.36.203 with HTTP; Thu, 2 Mar 2017 18:13:22 -0800 (PST)
In-Reply-To: <4acb6b3e0a724da88aa040f556c01b07@HE105717.emea1.cds.t-internal.com>
References: <0f05922f-ac63-1585-9da1-d54ceda25623@gmx.net> <4acb6b3e0a724da88aa040f556c01b07@HE105717.emea1.cds.t-internal.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 02 Mar 2017 18:13:22 -0800
Message-ID: <CAAP42hBRCMMhkahQv7VbH4SRLd=jGLvWnRy5Cf-cGr25bryEdQ@mail.gmail.com>
To: Sebastian.Ebling@telekom.de
Content-Type: multipart/alternative; boundary="001a11376fac47bd190549ca182b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Mw48tyWI3sCXiJwfOtWd6Tj8L68>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] review draft-ietf-oauth-native-apps-07
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Mar 2017 02:13:46 -0000
The Android Account Manager isn't standard OAuth, unlike this BCP. Thus, the Account Manager pattern falls under the security considerations section "Non-Browser External User-Agents" and is officially out of scope of the specification. To answer your question though, this BCP *is* the Google recommended way to do standards-based OAuth on Android. Some official references: OAuth 2.0 for Mobile & Desktop Apps <https://developers.google.com/identity/protocols/OAuth2InstalledApp> (which directly references this BCP! Scroll to the bottom) Set up SSO with Chrome Custom Tabs with Android for Work <https://developer.android.com/work/guide.html#sso> Your Apps at work - Google I/O 2016 <https://youtu.be/Za0OQo8DRM4?t=22m57s> Modernizing OAuth interactions in Native Apps for Better Usability and Security <https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html> NB. every time you see "AppAuth" in those docs, it's a reference to the library that implements the pattern defined by this BCP. The utility of Account Manager really depends on your use-case. I expect that most people who need to deal with non-Google ASes on Android will migrate over to the pattern outlined in this BCP. People who deal exclusively with the Google IdP (e.g. display a Google Sign-in button) will likely keep doing what they're doing, which is fine. The main drawback of the Account Manager pattern was that you need to have an app from the authorization server (AS) installed which can't always be guaranteed. That's why this is less of a problem with Google's IdP, since all phones that have the Play store come with the Google authentication agent. Even if you can guarantee that the authentication app will be installed, there is overhead on the AS such as maintenance and updates for the native authorization app component. I participated in many discussions over a two year period in the OAuth and OpenID communities, and the general consensus was that requiring the AS to provide a native app was a burden, and harmful to interop, which lead to the drafting of this BCP which doesn't require any native code to be maintained and distributed by the AS. On Mon, Feb 27, 2017 at 12:22 AM, <Sebastian.Ebling@telekom.de> wrote: > Hi all, > > I have a question that relates to section B.2. Android Implementation > Details. > > I understand this as a working group best practice. Unfortunately this > does not necessarily meet the Google instruction for Android. There is a > lot of documentation out there pointing to the Android Account Manager and > I do not get these both together. > > Any idea? > > Best Regards > > Sebastian > > -- > Sebastian Ebling / sebastian.ebling@telekom.de > Deutsche Telekom AG, Technology Enabling Platforms (PI-TEP) > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps" to… Hannes Tschofenig
- [OAUTH-WG] review draft-ietf-oauth-native-apps-07 Sebastian.Ebling
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… Brian Campbell
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… Nat Sakimura
- Re: [OAUTH-WG] review draft-ietf-oauth-native-app… William Denniss
- Re: [OAUTH-WG] Pushing "OAuth 2.0 for Native Apps… William Denniss
- Re: [OAUTH-WG] review draft-ietf-oauth-native-app… Sebastian.Ebling