IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app

"Phil Hunt (IDM)" <phil.hunt@oracle.com> Wed, 25 January 2017 20:33 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C6BE129BC6 for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 12:33:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.418
X-Spam-Level:
X-Spam-Status: No, score=-7.418 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5pZTacZ6JbSH for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 12:33:00 -0800 (PST)
Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2281129BC1 for <oauth@ietf.org>; Wed, 25 Jan 2017 12:33:00 -0800 (PST)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v0PKWx8H009382 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 25 Jan 2017 20:32:59 GMT
Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id v0PKWvEJ002818 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 25 Jan 2017 20:32:57 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v0PKWuYZ031258; Wed, 25 Jan 2017 20:32:57 GMT
Received: from [10.0.8.164] (/66.183.175.166) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 25 Jan 2017 12:32:56 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail-526F2A97-7ED3-414E-B555-48467EFC4AD7"
Mime-Version: 1.0 (1.0)
From: "Phil Hunt (IDM)" <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (14C92)
In-Reply-To: <CA+k3eCQ69_+7JEZN30OpOwfW-cy1Dmu6-K84geLLvrjWxpt=7A@mail.gmail.com>
Date: Wed, 25 Jan 2017 12:32:55 -0800
Content-Transfer-Encoding: 7bit
Message-Id: <823CE48E-D778-4704-B13D-B6C302ED14D6@oracle.com>
References: <ffc794a133b4b5fb341a0590c6848034@nleyten.com> <5889010c.06d0620a.31d79.5dd8@mx.google.com> <CA+k3eCQ69_+7JEZN30OpOwfW-cy1Dmu6-K84geLLvrjWxpt=7A@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/XBnGB1c44qvlS-Hc03Gug5vAEHc>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2017 20:33:05 -0000

+1 to AppAuth

One disturbing pattern I see for mobile apps relaying the idtoken is that the aud isn't checked by the AS in the Oauth exchange. This in part caused by the fact that the mobile app has two client-id identifiers. If the aud only has the clientid for the OIDC call this can be a problem if the AS doesn't know what that id is (since it didnt issue the id). If the issued id token does not have an aud value the AS can recognize it should be rejected.

Phil

> On Jan 25, 2017, at 12:24 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> +1 to the AppAuth pattern
> 
>> On Wed, Jan 25, 2017 at 12:48 PM, <ve7jtb@ve7jtb.com> wrote:
>> There are a number of patterns that people use.
>> 
>>  
>> 
>> I prefer the AppAuth pattern where the native app is a OAuth client to your server and you are protecting your API with OAuth.   Your AS becomes a Connect/SAML/Twitter auth/ Facebook etc relying party and uses federated or local authentication to issue tokens.  (this gives your backend API access to user info)
>> 
>>  
>> 
>> The other pattern is for the native app to be a Connect client to Google or other IdP and then passes a id_token (not access token) to your backend in some secure manor and your backend validates the signature on the id_token and that it was issued to your client (verification is essential) (the native app gets access to user info api)  You still have the problem of how you secure your API, as you need to exchange the validated id_token with something.   I thnk that doing this securely winds up being more complicated than the first option.
>> 
>>  
>> 
>> There are other options that may not be allowed by the IdP where your backend is the Connect client and has a client secret.  The mobile app makes the request and gets the code back.   It then sends code and pkce verifier to it’s backend and the server exchanges it with it’s secret to get a id_token and access token.   You still need to add security for your API.  (custom scheme redirects for confidential clients may not be allowed depending on the Connect IdP)
>> 
>>  
>> 
>> I think the first option is the best design that gives the best long term design as new IdP can be added without changing the deployed app.
>> 
>>  
>> 
>>  
>> 
>> John B.
>> 
>>  
>> 
>> Sent from Mail for Windows 10
>> 
>>  
>> 
>> From: Dario Teixeira
>> Sent: January 25, 2017 7:59 AM
>> To: oauth@ietf.org
>> Subject: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
>> 
>>  
>> 
>> Hi,
>> 
>>  
>> 
>> I am building a mobile app and a server.  The mobile app fetches
>> 
>> user-specific data from the server, and therefore some sort of
>> 
>> authentication is required.  I would like to avoid the traditional
>> 
>> username+password scheme, and instead allow users to login via
>> 
>> Google or Facebook.  It seems the OAuth2-based OpenID Connect (OIDC)
>> 
>> is the recommended solution nowadays, so my question is about the
>> 
>> usage of OAuth2/OIDC in this scenario.
>> 
>>  
>> 
>> All OIDC docs and tutorials describe the interaction between three
>> 
>> parties: a Relying Party (RP), a User Agent (UA), and an OIDC
>> 
>> Provider (OIP).  There are however four parties in my scenario:
>> 
>> the mobile app, the server, the UA, and the OIP.  Which should
>> 
>> take the role of RP? I see two different ways to do this:
>> 
>>  
>> 
>> 1) The mobile app is the RP.  It even takes care of starting a
>> 
>>     small web server to receive the data from the OIP.  At the end
>> 
>>     of the interaction, the mobile app has a JWT signed by the OIP,
>> 
>>     which it sends to the server, which must validate it using a
>> 
>>     built-in list of OIP public signatures.
>> 
>>  
>> 
>> 2) The server is the RP.  When the user wishes to login, the mobile
>> 
>>     app asks the server about the OIP's authorization endpoint.
>> 
>>     The server provide the client with an URI whose redirect_uri
>> 
>>     parameter points to the server.  All subsequent steps are
>> 
>>     handled by the server.
>> 
>>  
>> 
>> Anyway, this seems like a fairly common scenario, and I would rather
>> 
>> follow some best-practices documentation instead of cooking up my
>> 
>> own schemes, like points 1 and 2 above.  Therefore, if there is
>> 
>> indeed such documentation, could someone please point me towards it?
>> 
>> And if not, which would be the recommended route, 1 or 2?
>> 
>>  
>> 
>> Thanks in advance for your attention!
>> 
>> Best regards,
>> 
>> Dario Teixeira
>> 
>>  
>> 
>> _______________________________________________
>> 
>> OAuth mailing list
>> 
>> OAuth@ietf.org
>> 
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>>  
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email