Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app

Dario Teixeira <dario.teixeira@nleyten.com> Thu, 26 January 2017 15:11 UTC

Return-Path: <dario.teixeira@nleyten.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C0BDB12966F for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2017 07:11:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTKlkTcfgMhI for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2017 07:11:19 -0800 (PST)
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [IPv6:2001:4b98:c:538::196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7699E129669 for <oauth@ietf.org>; Thu, 26 Jan 2017 07:11:19 -0800 (PST)
Received: from mfilter32-d.gandi.net (mfilter32-d.gandi.net [217.70.178.163]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id 80511172287; Thu, 26 Jan 2017 16:11:17 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter32-d.gandi.net
Received: from relay4-d.mail.gandi.net ([IPv6:::ffff:217.70.183.196]) by mfilter32-d.gandi.net (mfilter32-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id onr4v13dpQxz; Thu, 26 Jan 2017 16:11:16 +0100 (CET)
X-Originating-IP: 10.58.1.149
Received: from webmail.gandi.net (webmail9-d.mgt.gandi.net [10.58.1.149]) (Authenticated sender: dario.teixeira@nleyten.com) by relay4-d.mail.gandi.net (Postfix) with ESMTPA id 165321722D0; Thu, 26 Jan 2017 16:11:15 +0100 (CET)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Thu, 26 Jan 2017 15:11:15 +0000
From: Dario Teixeira <dario.teixeira@nleyten.com>
To: Justin Richer <jricher@mit.edu>
In-Reply-To: <2fc78923-95a7-7def-3d59-65231f43ad0b@mit.edu>
References: <ffc794a133b4b5fb341a0590c6848034@nleyten.com> <2fc78923-95a7-7def-3d59-65231f43ad0b@mit.edu>
Message-ID: <5cdb51be0bcd39826c1f8dd4c472f843@nleyten.com>
X-Sender: dario.teixeira@nleyten.com
User-Agent: Roundcube Webmail/1.1.2
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/O-KfXDPJH4vVmcXvk_esWB5QIIk>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2017 15:11:20 -0000

Hi,

And thanks for the prompt reply!

> I would recommend making the mobile app the RP, and having the server
> be an additional protected resource that accepts access tokens from
> the mobile app. This is how it's commonly handled, and there are
> libraries (such as Google's AppAuth) that handle most of these
> interactions.

So basically the mobile app performs all the steps until it gets
the ID token from the OIDC Provider, and then sends this token to
my server, who must check the signature of the token to make sure
it really came from the OIDC Provider.

I'm just wondering how durable this solution is.  Suppose the OIDC
Provider would change their signing key; my server would then falsely
reject valid tokens unless it periodically checked for public key
updates (or does this never/seldom happen?).

Best regards,
Dario Teixeira