Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps

George Fletcher <gffletch@aol.com> Thu, 21 January 2016 18:14 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FA271A893F for <oauth@ietfa.amsl.com>; Thu, 21 Jan 2016 10:14:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.9
X-Spam-Level:
X-Spam-Status: No, score=-3.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, GB_I_LETTER=-2, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k8OLAuxaEc2O for <oauth@ietfa.amsl.com>; Thu, 21 Jan 2016 10:14:43 -0800 (PST)
Received: from omr-m008e.mx.aol.com (omr-m008e.mx.aol.com [204.29.186.7]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C78221A8953 for <oauth@ietf.org>; Thu, 21 Jan 2016 10:14:42 -0800 (PST)
Received: from mtaout-maa01.mx.aol.com (mtaout-maa01.mx.aol.com [172.26.222.141]) by omr-m008e.mx.aol.com (Outbound Mail Relay) with ESMTP id 654B5380031D; Thu, 21 Jan 2016 13:14:41 -0500 (EST)
Received: from [10.172.102.124] (unknown [10.172.102.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-maa01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id DBED2380000B4; Thu, 21 Jan 2016 13:14:40 -0500 (EST)
To: Roland Hedberg <roland.hedberg@umu.se>, William Denniss <wdenniss@google.com>
References: <569E2231.1010107@gmx.net> <CAGBSGjpwZ929ZZHYiNpvqLvMDBrVFWaffZLQPwZn_xj7phsrpw@mail.gmail.com> <6ADAA1B5-7EF9-49EA-A3D9-6EFC57275EB9@ve7jtb.com> <CA+k3eCS1ifU+QJyFtA=gOjSneg3Vh=3bf0CjnEijKTy=-9_xsw@mail.gmail.com> <E0918F9D-CA19-47F7-9A87-EBBA55A0B481@ve7jtb.com> <CABzCy2BKZ-2GXrgD7FuvTSQ9DB2xYU1URDMBTpmhdG-NwMDc7A@mail.gmail.com> <9062E913-39FB-4610-80FE-70796CBDEAC1@ve7jtb.com> <BN3PR0301MB1234046860E5CD9E774DB473A6C30@BN3PR0301MB1234.namprd03.prod.outlook.com> <CAAP42hDF4XKcyqOpNxMCfs=HLh46QNOk-octWda2bMiJHMXR4Q@mail.gmail.com> <F1D3D0C8-7908-4B24-ADDF-1CF4836180B9@adm.umu.se>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56A12010.6090700@aol.com>
Date: Thu, 21 Jan 2016 13:14:40 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <F1D3D0C8-7908-4B24-ADDF-1CF4836180B9@adm.umu.se>
Content-Type: multipart/alternative; boundary="------------000702080106090103010307"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1453400081; bh=mwYiQJjga1b0c3Bb8tR/GME2jlchNdA6tqRP+bKZJek=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=kWutyK74JElzEbi7FsOh8v6enGk4QsfMlhvSXAtmhVFp8fIqvwjktP9+LHoQzdFfA apTFpfmV2Dw3IHzIpj8udQMm+xlndjjgFPeleVGSiX5naZu52GnhqyZ38jCh321zf3 1/V6zHlF69rHi3QXSfbTvYHFLIbOAXH5dL1yOJ0I=
x-aol-sid: 3039ac1ade8d56a12010369b
X-AOL-IP: 10.172.102.124
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/R0HxDOR5X4EmfLZsAqr8NDp8tnM>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2016 18:14:47 -0000

I'm also +1 for adoption

On 1/21/16 2:56 AM, Roland Hedberg wrote:
> +1 for adoption
>
>> 21 jan 2016 kl. 07:11 skrev William Denniss <wdenniss@google.com>om>:
>>
>> I believe this is important work.
>>
>> The original OAuth 2 spec left the topic of native apps largely undefined which is fair enough, the mobile-first revolution had yet to really take hold and people didn't have much implementation experience for OAuth on mobile. But we've come a long way since then, we have the experience now and I think there is a need for leadership in this space, and that it makes sense for the OAUTH-WG to continue our work and provide that leadership.
>>
>> The risk of not defining a best practice for native apps is dilution of the open standards – if everyone implements OAuth differently for native apps, and RPs have to write IDP-specific code then what is the point of having OAuth as a standard in the first place? Security is a major concern as well, there are a lot of ways to mess this up and the security situation for OAuth in many native apps is not nearly as good as it could be.
>>
>> By providing leadership in the form of a working group document, we can present community advice with the hope that IDPs and RPs alike will follow our recommendations, resulting in more interoperability, better usability and higher security.
>>
>> The best part about this spec is that it's pure OAuth! Just wrapped with some native app specific recommendations for both RPs and IDPs, to achieve the desired levels of usability and security on mobile.
>>
>> I will point out that we have rough consensus and running code. The rough consensus can be seen from the WG votes, and the sentiment on this thread (your dissenting opinion notwithstanding). Regarding running code, my team is in the process of open sourcing libraries that will implement this best practice to the letter (and the code's already running, I assure you). The proprietary Google Sign-in and Facebook Sign-in SDKs are also using in-app browser tabs for OAuth flows in production today, which I think is further evidence that this is a viable pattern.
>>
>> This document and proposal was never part of the OpenID working group that you refer to below.
>>
>> I'm not saying the document is perfect, and it is definitely in need of an update! But I'm committed to listening to the community and taking it forward. Now that the dependencies have launched, and our library implementations are done, I plan to update the doc with the feedback from this community, and the lessons we and others have learnt from our implementations.
>>
>> I hope the working group will consider adopting this document.
>>
>> Kind Regards,
>> William
>>
>>
>> On Thu, Jan 21, 2016 at 12:33 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:
>> This work had many issues in the OpenID WG where it failed why should this be a WG item here ? The does meet the requirements for experimental, there is a fine line between informational and experimental, I would be OK with either but prefer experimental, I don’t think that this should become a standard.
>>
>>
>>
>> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
>> Sent: Wednesday, January 20, 2016 12:11 PM
>> To: Nat Sakimura <sakimura@gmail.com>
>> Cc: oauth@ietf.org
>> Subject: Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps
>>
>>
>>
>> PS as you probably suspected I am in favour of moving this forward.
>>
>>
>>
>>
>>
>> On Jan 20, 2016, at 5:08 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>>
>>
>>
>> +1 for moving this forward.
>>
>> 2016年1月21日木曜日、John Bradley<ve7jtb@ve7jtb.com>さんは書きましたは書きました:
>>
>> Yes more is needed.   It was theoretical at that point.  Now we have implementation experience.
>>
>>
>>
>> On Jan 20, 2016, at 3:38 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
>>
>>
>>
>> There is https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-00#appendix-A which has some mention of SFSafariViewController and Chrome Custom Tabs.
>>
>> Maybe more is needed?
>>
>>
>>
>> On Wed, Jan 20, 2016 at 10:45 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>
>> Yes, in July we recommended using the system browser rather than WebViews.
>>
>>
>>
>> About that time Apple announced Safari view controller and Google Chrome custom tabs.   The code in the OS is now stable and we have done a fair amount of testing.
>>
>>
>>
>> The OIDF will shortly be publishing reference libraries for iOS and Android to how how to best use View Controllers, and PKCE in native apps on those platforms.
>>
>>
>>
>> We do need to update this doc to reflect what we have learned in the last 6 months.
>>
>>
>>
>> One problem we do still have is not having someone with Win 10 mobile experience to help document the best practices for that platform.
>>
>> I don’t understand that platform well enough yet to include anything.
>>
>>
>>
>> John B.
>>
>>
>>
>> On Jan 20, 2016, at 12:40 PM, Aaron Parecki <aaron@parecki.com> wrote:
>>
>>
>>
>> The section on embedded web views doesn't mention the new iOS 9 SFSafariViewController which allows apps to display a system browser within the application. The new API doesn't give the calling application access to anything inside the browser, so it is acceptable for using with OAuth flows. I think it's important to mention this new capability for apps to leverage since it leads to a better user experience.
>>
>>
>>
>> I'm sure that can be addressed in the coming months if this document is just the starting point.
>>
>>
>>
>> I definitely agree that a document about native apps is necessary since the core leaves a lot of guessing room for an implementation.
>>
>>
>>
>> For reference, https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_26
>>
>>
>>
>> And see the attached screenshot for an example of what it looks like.
>>
>>
>>
>> <embedded-oauth-view.png>
>>
>>
>>
>> ----
>>
>> Aaron Parecki
>>
>> aaronparecki.com
>>
>> @aaronpk
>>
>>
>>
>>
>>
>> On Tue, Jan 19, 2016 at 3:46 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>
>> Hi all,
>>
>> this is the call for adoption of OAuth 2.0 for Native Apps, see
>> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/
>>
>> Please let us know by Feb 2nd whether you accept / object to the
>> adoption of this document as a starting point for work in the OAuth
>> working group.
>>
>> Note: If you already stated your opinion at the IETF meeting in Yokohama
>> then you don't need to re-state your opinion, if you want.
>>
>> The feedback at the Yokohama IETF meeting was the following: 16 persons
>> for doing the work / 0 persons against / 2 persons need more info
>>
>> Ciao
>> Hannes & Derek
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
>>
>>
>>
>>
>> --
>> Nat Sakimura (=nat)
>>
>> Chairman, OpenID Foundation
>> http://nat.sakimura.org/
>> @_nat_en
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Chief Architect
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          AIM:  gffletch
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography