IETF Logo Mail Archive

[OAUTH-WG] Text for Native Applications

Chuck Mortimore <cmortimore@salesforce.com> Wed, 25 May 2011 00:30 UTC

Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47FD9E078F for <oauth@ietfa.amsl.com>; Tue, 24 May 2011 17:30:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GjFWIBLorJvA for <oauth@ietfa.amsl.com>; Tue, 24 May 2011 17:30:08 -0700 (PDT)
Received: from exprod8og104.obsmtp.com (exprod8og104.obsmtp.com [64.18.3.88]) by ietfa.amsl.com (Postfix) with SMTP id 2F8CBE078B for <oauth@ietf.org>; Tue, 24 May 2011 17:30:07 -0700 (PDT)
Received: from exsfm-hub4.internal.salesforce.com ([204.14.239.239]) by exprod8ob104.postini.com ([64.18.7.12]) with SMTP ID DSNKTdxNjundWCwu0dnMpxC4R6EM4iNYezQ5@postini.com; Tue, 24 May 2011 17:30:08 PDT
Received: from EXSFM-MB01.internal.salesforce.com ([10.1.127.46]) by exsfm-hub4.internal.salesforce.com ([10.1.127.8]) with mapi; Tue, 24 May 2011 17:30:06 -0700
From: Chuck Mortimore <cmortimore@salesforce.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Tue, 24 May 2011 17:30:05 -0700
Thread-Topic: Text for Native Applications
Thread-Index: AcwacuSN23DIGpTmB0CupclgrTTPNA==
Message-ID: <CA019B9D.1A43D%cmortimore@salesforce.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_CA019B9D1A43Dcmortimoresalesforcecom_"
MIME-Version: 1.0
Subject: [OAUTH-WG] Text for Native Applications
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 May 2011 00:30:09 -0000

One of my items from yesterday was to update the text related to native applications.   Primary goals were to:


 1.  remove the explicit preference for authorization_code grant type
 2.  provide a brief overview on means of initiating authorization requests and receiving callbacks
 3.  discuss the pros/cons of the different authorization requests and grant types

Here is suggested text.

-cmort

-----------------------------

9.  Native Applications

A native application is a client which is installed and executes on the end-user's device (i.e. desktop application, native mobile application).  Native applications require special consideration related to security, platform capabilities, and overall end-user experience.  The following are examples of how native applications may utilize OAuth:

   o  Initiate an Authorization Request using an external user-agent: The native application can capture the response from the authorization server by providing a redirection URI identifying a custom URI scheme (registered with the operating system to invoke the native application as handler), or by providing a redirection URI identifying a server-hosted resource under the native application's control, which in turn makes the response available to the native application (e.g. using the user-agent window title or other locations accessible from outside the user-agent).
   o  Initiate an Authorization Request using an embedded user-agent:  The native application obtains the response by directly communicating with the embedded  user-agent.  Techniques include monitoring state changes emitted during URL loading, accessing the user-agent's cookie jar, etc.

When choosing between launching an external user-agent and an embedding a user-agent, native application developers should consider the following:

   o  External user-agents may improve completion rate as the end-user may already have an active session with the authorization server removing the need to re-authenticate, and provide a familiar user-agent user experience.  The end-user may also rely on extensions or add-ons to assist with authentication (e.g. password managers or 2-factor device reader).
   o  Embedded user-agents may offer an improved end-user flow, as they remove the need to switch context and open new windows.
   o  Embedded user-agents pose a security challenge because end-users are authenticating in an unidentified window without access to the visual protections offered by many user-agents.  Embedded user-agents educate end-user to trust unidentified requests for authentication (making phishing attacks easier to execute).

When choosing between implicit and authorization code grant types, the following should be considered:

   o  Native applications that use the authorization code grant type flow SHOULD do so without client password credentials, due to their inability to keep those credentials confidential.
   o  Native applications that use the implicit grant type may offer optimized performance in some scenarios due to reduced network requests

v2.8.7 | Report a Bug | By Email