Re: [OAUTH-WG] Flowchart for legs of OAuth
Kris Selden <kris.selden@gmail.com> Mon, 04 April 2011 19:08 UTC
Return-Path: <kris.selden@gmail.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 771043A67AA for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 12:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.979
X-Spam-Level:
X-Spam-Status: No, score=-2.979 tagged_above=-999 required=5 tests=[AWL=0.620, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id omTfRAd2nRha for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 12:08:11 -0700 (PDT)
Received: from mail-px0-f182.google.com (mail-px0-f182.google.com [209.85.212.182]) by core3.amsl.com (Postfix) with ESMTP id C59C83A6407 for <oauth@ietf.org>; Mon, 4 Apr 2011 12:08:11 -0700 (PDT)
Received: by pxi20 with SMTP id 20so2385157pxi.27 for <oauth@ietf.org>; Mon, 04 Apr 2011 12:09:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:subject:mime-version:content-type:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to:x-mailer; bh=XfDMTbWel+UNLu2DaIt+E3XEuVJnHQ+n66zVkmeAWPY=; b=fWZccmO2xKe6W+hZcssHW9EjbatdbkdynFPNmabj4T95gtgAMdxOClJ7pr90hIRLt3 GENpozstAs1hwVsc0kOUNCLoNDjCFDFKosuQXjlvC4C48JK1ktgVnO06XMzdGDbT6Ams swmt02LzDDWvVJMg9i+rk7iGRYvGVk9utTjpY=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to:x-mailer; b=pUWsiHCyCp9dsS3h28Q04/pfRiQD1f+JDbOP3hpjxKESSVq2fYedBnBcgQY/BRk2f3 5+eXORW5wEdFS8FBP742DPm4HCiG2piA6/bub4ls1J8L6iRX3397R5SoeAufi36RXzU1 ap8a66isbnMbrDLn6BiO7qkZaLryE95di8/vA=
Received: by 10.142.202.16 with SMTP id z16mr6770718wff.6.1301944194497; Mon, 04 Apr 2011 12:09:54 -0700 (PDT)
Received: from [172.16.176.22] ([74.212.130.213]) by mx.google.com with ESMTPS id s39sm7923288wfc.16.2011.04.04.12.09.53 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 04 Apr 2011 12:09:53 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="windows-1252"
From: Kris Selden <kris.selden@gmail.com>
In-Reply-To: <2597C1CF-1067-404A-BFE3-DE8F55A77EA6@kiva.org>
Date: Mon, 04 Apr 2011 12:09:52 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <66F1ABA3-4A1E-4B18-94D4-A431FA9DE126@gmail.com>
References: <22FB565B-A701-4502-818F-15164D9E201A@oracle.com> <AANLkTimGjiCGk5dpA=YVzq5vDkLR2+caSz=pZ5WiZO9H@mail.gmail.com> <3C84AD7A-F00F-43EC-AAD3-AD2DCFB46B0E@oracle.com> <90C41DD21FB7C64BB94121FBBC2E7234464F432BB0@P3PW5EX1MB01.EX1.SECURESERVER.NET> <4D84F7E2.6090305@redhat.com> <16B9A882-6204-4CBD-B7E3-1D806AF5056C@oracle.com> <4D8A5054.4050006@lodderstedt.net> <BANLkTiniuuRXtkzLubgOjVursVtOGjFe6A@mail.gmail.com> <7616C235-2913-4EE0-A710-F47A4CC9E424@oracle.com> <BANLkTi=XyF25vB6qKX2q8iOpEaZ1yQx9Jw@mail.gmail.com> <65E3F250-5111-4692-BFA7-F5B838E9B41D@gmail.com> <9E68D140-ED3D-4C62-A6A1-5CE1CDB5C5D9@oracle.com> <2597C1CF-1067-404A-BFE3-DE8F55A77EA6@kiva.org>
To: Skylar Woodward <skylar@kiva.org>
X-Mailer: Apple Mail (2.1082)
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Flowchart for legs of OAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2011 19:08:12 -0000
I completely agree with you regarding not being able to authenticate a native client. The problem with web flow is the user experience is bad for a native app. Why does this matter? Because of competition – if competitors use a user friendly but less secure method and the end user does not know it is bad for them, then because of market forces you have to do the same. As a startup developer, I cannot tell the business side that our UI has to be worse than their Facebook app, Twitter client or Instagram on their phone because that isn't secure. They're going to look at me like I'm crazy. If the end user is ignorant, educating them comes at too high of a price for a startup. The end user cares about their safety but assumes that big companies are the bar for security. On Apr 4, 2011, at 11:21 AM, Skylar Woodward wrote: > Having worked many years with native Internet consumer software applications, and having worked in those teams in attempt to secure client secrets (be they keys or obfuscated dynamic algorithms), I can say with reasonable confidence that it is impossible to secure client credentials for publicly available applications (where the same credential is shared against all instances of the application). Both iPhone and PlayStation represent some of the most formidable efforts to secure secrets or data in publicly distributed consumer products. Systems on these have been successfully broken and this will continue to be the case. Even if someone has a new technology to propose that they think can prove this wrong, there is no reliable record of success for hiding secrets in the field. We should assume any system distributed for public review can be reverse engineered, and secrets obtained. > > I propose that for the sake of this discussion, we continue with the assumption that no native apps with public distribution are able to have client secrets. > > > (Btw, Kris seemed to be suggesting that users could be prompted to enter a (unique?) app ID and client secret, but this would complicate usability, working against the goals of OAuth in the first place. I'd agree - if native app users had to enter a custom client secret, they might as well obtain their own private access token and enter it instead, by passing OAuth completely). > > On Apr 4, 2011, at 2:02 PM, Phil Hunt wrote: > >> On 2011-04-04, at 10:47 AM, Kris Selden wrote: >> >>> A typical iPhone app cannot be shipped with a client secret and rightly or wrongly users expect to only have to enter their credentials once. >> >> My understanding (and I'm not an iOS expert) is that each iOS application has a secure keystore where the client credential could be stored. I am told this is fairly straight forward. The client app would issue a call out to the external safari browser for the authorization with a redirect back to the app registered (local redirect) such as myapp://authorization_code >
- [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Anthony Nadalin
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth David Primmer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phillip Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Eran Hammer-Lahav
- Re: [OAUTH-WG] Flowchart for legs of OAuth Anil Saldhana
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Kris Selden
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Kris Selden
- Re: [OAUTH-WG] Flowchart for legs of OAuth Anthony Nadalin
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Flowchart for legs of OAuth Justin Richer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Marius Scurtescu
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth torsten
- Re: [OAUTH-WG] Flowchart for legs of OAuth Justin Richer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phillip Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Chuck Mortimore
- Re: [OAUTH-WG] Flowchart for legs of OAuth Zeltsan, Zachary (Zachary)
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Torsten Lodderstedt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth torsten
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Skylar Woodward
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phil Hunt
- Re: [OAUTH-WG] Flowchart for legs of OAuth Justin Richer
- Re: [OAUTH-WG] Flowchart for legs of OAuth Phillip Hunt