IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization Request via back channel / direct communication?

John Bradley <ve7jtb@ve7jtb.com> Sat, 09 June 2012 02:04 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D706311E8099 for <oauth@ietfa.amsl.com>; Fri, 8 Jun 2012 19:04:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.901
X-Spam-Level:
X-Spam-Status: No, score=-2.901 tagged_above=-999 required=5 tests=[AWL=-0.699, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGgNNe9SeAIN for <oauth@ietfa.amsl.com>; Fri, 8 Jun 2012 19:04:22 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 7D66B11E8095 for <oauth@ietf.org>; Fri, 8 Jun 2012 19:03:55 -0700 (PDT)
Received: by yhq56 with SMTP id 56so2028117yhq.31 for <oauth@ietf.org>; Fri, 08 Jun 2012 19:03:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to:x-mailer:x-gm-message-state; bh=hgNcYZTTRclvy66ahvMcTRMvad6rH63I6nrusH7rHew=; b=b6KyFga8B8fOtmGczLWdSsHrkp+vvYDPN42gK/cs/XbCEkIpjo3s/atXQeYNMxmLFi OlSBe69/MvGSezUlwFG2KpaOcckSG3N3X2Qe9yjE6x1rwIepdPTlAOCFjlJ8rDmxS4k9 eH7J0Da9DpZBy3FdvXvY+7zLJMRJXnvm9gNP9uag1h6U0S0dyJIvsyYa1mo5yvzn/+V+ pbid6JlzjeTGHjTHDOT0TjYbseUdigngzZFVxtBH3Yqhp7+g7lkN/6L4p5jt1o3lJT3x bsTVyY3M6lMPmg2AwcTG8lUm98k4assWGC9qF8NPZY3AjvayvgLhBVGqmf6KHrJl7wjd hwxg==
Received: by 10.236.73.6 with SMTP id u6mr10478205yhd.31.1339207435076; Fri, 08 Jun 2012 19:03:55 -0700 (PDT)
Received: from [192.168.1.213] (190-20-22-159.baf.movistar.cl. [190.20.22.159]) by mx.google.com with ESMTPS id l13sm12603928ann.2.2012.06.08.19.03.52 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 08 Jun 2012 19:03:54 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1278)
Content-Type: multipart/signed; boundary="Apple-Mail=_1C8294F9-C126-4567-902B-AFEC0C8C3619"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <59E470B10C4630419ED717AC79FCF9A90AED9537@BL2PRD0410MB363.namprd04.prod.outlook.com>
Date: Fri, 08 Jun 2012 22:03:45 -0400
Message-Id: <0C36899C-5011-483D-89FA-E5ACF74C4119@ve7jtb.com>
References: <59E470B10C4630419ED717AC79FCF9A90AED9537@BL2PRD0410MB363.namprd04.prod.outlook.com>
To: Lewis Adam-CAL022 <Adam.Lewis@motorolasolutions.com>
X-Mailer: Apple Mail (2.1278)
X-Gm-Message-State: ALoCoQkwLl4L1xmGssBK4Qxtna2fIzUsiG6t3kl5QGB0e9/ExPhVLcPpt6sAlP/3FArUyjrAUMgm
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Authorization Request via back channel / direct communication?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jun 2012 02:04:22 -0000

To some extent it goes to the question of who do you trust.

Most of OAuth is predicated on not sharing the users credential with the client, because clients are not trusted.

Your situation may be different if you control the device.

If you are using multi factor authentication then using an embedded web view is probably your best option to allow for flexibility as authentication mechanisms change for users rather than coding them into the app directly.

Using a embedded web view with a OTP is probably not a bad thing though in general we want to train users not to put there credentials into untrusted applications and sites.

John B.

On 2012-06-08, at 6:43 PM, Lewis Adam-CAL022 wrote:

> Hi,
>  
> I have a historical question around front channel / back channel (direct) communications and Authorization Requests.  Both the code-flow and implicit-flow utilize a front channel communication through the UA.  This makes sense for the delegated credentials case (e.g. shutterfly accessing photos on facebook). 
>  
> I’m in the native app / client market, and the RO password credentials flow fits really well … expect it’s limited to passwords.  I’ve been well educated (by lots of folks on this list) about the “best practices” to enable native clients to use the code flow, e.g. registering a custom callback URI and register my native app ass the handler for that URI. 
>  
> But … (and not knowing the history behind all this), it seems that OAuth was designed for confidential clients, and was “retro-fitted” to make native apps work.  And it just feels a bit like a hack to me (albeit a workable one), the whole custom callback URI thing, to get it to work.  The RO password credentials seems like a much better fit for native apps, since it has no need for the UA and can use back channel / direction communication to talk to the AS and obtain and access token.  But that limits me to a password and eliminates any chance of strong authentication.
>  
> It would seem more straight forward to define a back channel flow such that a native client could send off an authorization request with response=token (or id_token in the Connect case), respond to a challenge from the AS for authentication, and obtain a response containing the access_token / id_token and use it for its RESTful API communications with the RS/RP.  This would enable strong authentication methods not possible using just RO passwords.
>  
> Has anybody else ever expressed interest in such back channel calls between for native clients?  Was it previously considered and dropped? 
>  
> Tx!
> adam
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email