[OAUTH-WG] Re: Call for adoption - First Party Apps

Watson Ladd <watsonbladd@gmail.com> Wed, 04 September 2024 21:48 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72E57C1654EB for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 14:48:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hX6CX7hdHBvG for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 14:48:30 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7201C180B67 for <oauth@ietf.org>; Wed, 4 Sep 2024 14:48:30 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-42c7bc97423so164155e9.0 for <oauth@ietf.org>; Wed, 04 Sep 2024 14:48:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725486508; x=1726091308; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=joYEE2h1zJtGdyOXUPPMvKG3ymCR+0GnQkookm1/kUI=; b=BGdZ/xnOYQJHqrqicaJ8bqvjJZ6CEG1QuqWS8zjtG89DfuK7QsqkHHY6PdoPrAStun Ix6yTHP8ROVHoDGSIyWaiJrslcED+dI2u+QXEjkB0JC642OXG38QSi+CzHpWaBBdld01 c6OQ4yIitVq0zYej9JJThUGAiTu2rNP3iIKuHGY8C104C1Qfmk/lUv5+R+l2HC7hVKkE ZvbMs8HByAgmnwwT5hPMdQhIMqqddlnLa5DJ6SNhq8TiG21NFY5z5UofCESZwdfPLAyl wUpieUHsd0yL72on9P4sEexmkccm66udu547Sak8trFxQg15KUhfnVPp1yRBbLS91s8p 61Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725486508; x=1726091308; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=joYEE2h1zJtGdyOXUPPMvKG3ymCR+0GnQkookm1/kUI=; b=eb/Wt5/IwkHL/H1jpQrV0CbZtEXTxOUnHMgu3VK322K+TcchP6tZD+PeN+syrImj6c tlFLsZcYyIJu8qhJ34+FJlwNFv9RSGtEwgiB+idPHEKnuOLSPWlF17Wgq26tHpNkTbOV 5pZGPhQqkKmaqOgXk8qdURpHdvI/8hx5UEjGz5zKbuVlW+WlG2Wnqv143Wq2q5ib7z4+ jfkUJy2EqKSMEtjlrtifwsbkHPzBJOp2vrKXW/+xOd9WRCAebL5Xlv9cuSxfYVwxI6Fi tTD02wHGNqfLQAYqd/EtzrAxVSRwSdGM8r0ulwc9LkHbdSOJAWY+iaTV5rdfXIBPocaG nPGw==
X-Forwarded-Encrypted: i=1; AJvYcCX7h3RVEypL1sXE5Ry3kBoSveuMCa9AfBhA/7nXvhT0S8+MAEngcueggd7d2YLynjQMtZmREw==@ietf.org
X-Gm-Message-State: AOJu0YxKsQMXjrBpzdIrI/1S2ngfIYzGrouYXirv993HXXa7VniGdcPB KWlpnzzrhbvx6M6B12J8PHFnDiipfSo1zuj1QBstWKQaH96SYmzZJO1vVKg2/OJiLhO+DdVX79q VijFXNqf/1i795UdVZ2jyVvuTzQI=
X-Google-Smtp-Source: AGHT+IFx6rtW6dEAaegVKdKPBb1LJmUn7Ja8G+IpEnSqGnNa2HU6E+zSlXwFTYuDkTXZMVvzr5ZHqWH3VwA7a/+E+3Q=
X-Received: by 2002:a05:600c:5119:b0:426:5520:b835 with SMTP id 5b1f17b1804b1-42c9a360285mr3271045e9.5.1725486508308; Wed, 04 Sep 2024 14:48:28 -0700 (PDT)
MIME-Version: 1.0
References: <CACZ9TyDXYhrQpe1H=53-U7p+fqK9u-z2JX5O=TCg=L5X76oLHQ@mail.gmail.com> <A0B7EF07-EB69-41F9-B974-BBBB129726D6@gmail.com>
In-Reply-To: <A0B7EF07-EB69-41F9-B974-BBBB129726D6@gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 04 Sep 2024 14:48:17 -0700
Message-ID: <CACsn0cnBjvEZrxFrfa2TBwRo5uwqz=Pd3zph98PjBos6k+Y5xw@mail.gmail.com>
To: Neil Madden <neil.e.madden@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: YWRHR6XHOITQ6M5U5QGJ76UALWF3YVEA
X-Message-ID-Hash: YWRHR6XHOITQ6M5U5QGJ76UALWF3YVEA
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/V9qYSO8MRwCou6kRgQYwCty7-h0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

On Wed, Sep 4, 2024 at 2:46 PM Neil Madden <neil.e.madden@gmail.com> wrote:
>
>
>
> On 4 Sep 2024, at 21:31, Tim Cappalli <tim.cappalli@okta.com> wrote:
>
> 
>>
>> Thanks, that’s good to know. Does it preserve phishing resistance? Ie the app cannot spoof the rpId?
>
>
> The WebAuthn client for native apps is the app platform. The app platform, aka the OS, handles origin binding using existing app to web domain association methods (Android Asset Links, Apple Associated Domains) . This is used for both embedded WebViews and native app platform APIs. For System WebView, the WebAuthn client is the web platform, just like a browser (WebView details: Android, iOS, macOS).
>
>
> I can see how that works for iOS and Android, where apps are sandboxed. But can’t a macos/Windows/Linux app bypass the “official” WebAuthn API and just talk CTAP directly to a USB authenticator? (You used to even be able to do this from the browser: https://www.yubico.com/support/security-advisories/ysa-2018-02/)
>
> Or is the intent to limit the spec to sandboxed apps? (If so, some kind of attestation to ensure the app actually is sandboxed seems a good idea).

I can always grab the cookie jar off the user browser if I have that
level of access.

>
>
> — Neil
>
> So, long story short, yes.
>
> On Wed, Sep 4, 2024 at 12:41 PM Neil Madden <neil.e.madden@gmail.com> wrote:
>>
>>
>>
>> On 4 Sep 2024, at 17:09, Aaron Parecki <aaron@parecki.com> wrote:
>>
>> 
>> A native UI does not rule out WebAuthn/FIDO, in fact we have an in-progress branch of the draft that shows how you could support passkeys with this spec: https://github.com/aaronpk/oauth-first-party-apps/pull/93
>>
>>
>> Thanks, that’s good to know. Does it preserve phishing resistance? Ie the app cannot spoof the rpId?
>>
>>
>> While there isn't an RFC for authenticating first-party apps, there is plenty of precedent for doing so already using the Apple and Android APIs. There is an adopted in-progress draft that could standardize this as well: https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/
>>
>>
>> Also good to know. Is the intent to restrict the draft to just mobile apps (and ones with secure enclaves?), or also desktop?
>>
>> I’d be a lot more comfortable with the draft if this SHOULD in section 1.1 became a MUST:
>>
>> “ This specification MUST NOT be used by third party applications, and the authorization server SHOULD take measures to prevent use by third party applications. (e.g. only enable this grant for certain client IDs, and take measures to authenticate first-party apps when possible.)”
>>
>> — Neil
>>
>>
>> Aaron
>>
>> On Wed, Sep 4, 2024 at 7:37 AM Neil Madden <neil.e.madden@gmail.com> wrote:
>>>
>>> I am a bit skeptical about this one. I’m not convinced we should be recommending native UI until/unless we have a really good story around authenticating first-party apps. Without such a story, I don’t think this should be adopted. Unless I’m mistaken, a native UI also rules out WebAuthn/FIDO-based authenticators? We should not be adopting drafts that increase phishing risks for the sake of aesthetics.
>>>
>>> — Neil
>>>
>>> On 3 Sep 2024, at 11:46, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:
>>>
>>> All,
>>>
>>> As per the discussion in Vancouver, this is a call for adoption for the First Party Apps draft:
>>> https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/
>>>
>>> Please, reply on the mailing list and let us know if you are in favor or against adopting this draft as WG document, by Sep 17th.
>>>
>>> Regards,
>>>  Rifaat & Hannes
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org



-- 
Astra mortemque praestare gradatim