[OAUTH-WG] Updated text for Native Apps
Chuck Mortimore <cmortimore@salesforce.com> Tue, 31 May 2011 17:36 UTC
Return-Path: <cmortimore@salesforce.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id D1E24E068E for <oauth@ietfa.amsl.com>;
Tue, 31 May 2011 10:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JOYNQA1W6CYQ for
<oauth@ietfa.amsl.com>; Tue, 31 May 2011 10:36:36 -0700 (PDT)
Received: from exprod8og103.obsmtp.com (exprod8og103.obsmtp.com [64.18.3.86])
by ietfa.amsl.com (Postfix) with SMTP id 17539E0662 for <oauth@ietf.org>;
Tue, 31 May 2011 10:36:35 -0700 (PDT)
Received: from exsfm-hub4.internal.salesforce.com ([204.14.239.239]) by
exprod8ob103.postini.com ([64.18.7.12]) with SMTP ID
DSNKTeUnIxJ7+KQ0QdJee8EUDyxyDIna9cmk@postini.com;
Tue, 31 May 2011 10:36:36 PDT
Received: from EXSFM-MB01.internal.salesforce.com ([10.1.127.46]) by
exsfm-hub4.internal.salesforce.com ([10.1.127.8]) with mapi;
Tue, 31 May 2011 10:36:34 -0700
From: Chuck Mortimore <cmortimore@salesforce.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Date: Tue, 31 May 2011 10:36:33 -0700
Thread-Topic: Updated text for Native Apps
Thread-Index: AcwfuUhXW2Le+9y8kkuEJ9o0yOMTnA==
Message-ID: <CA0A7531.1A8EC%cmortimore@salesforce.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative;
boundary="_000_CA0A75311A8ECcmortimoresalesforcecom_"
MIME-Version: 1.0
Subject: [OAUTH-WG] Updated text for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>,
<mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>,
<mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2011 17:36:39 -0000
Minor updates for section 9 based upon feedback from the list -cmort ---------------- 9. Native Applications A native application is a client which is installed and executes on the end-user's device (i.e. desktop application, native mobile application). Native applications require special consideration related to security, platform capabilities, and overall end-user experience. The following are examples of how native applications may utilize OAuth: o Initiate an Authorization Request using an external user-agent: The native application can capture the response from the authorization server using a variety of techniques such as the use of a redirection URI identifying a custom URI scheme (registered with the operating system to invoke the native application as handler), manual copy-and-paste, running a local webserver, browser plug-ins, or by providing a redirection URI identifying a server-hosted resource under the native application's control, which in turn makes the response available to the native application. o Initiate an Authorization Request using an embedded user-agent: The native application obtains the response by directly communicating with the embedded user-agent. Techniques include monitoring state changes emitted during URL loading, monitoring http headers, accessing the user-agent's cookie jar, etc. When choosing between launching an external user-agent and an embedding a user-agent, native application developers should consider the following: o External user-agents may improve completion rate as the end-user may already have an active session with the authorization server removing the need to re-authenticate, and provide a familiar user-agent user experience. The end-user may also rely on extensions or add-ons to assist with authentication (e.g. password managers or 2-factor device reader). o Embedded user-agents may offer an improved end-user flow, as they remove the need to switch context and open new windows. o Embedded user-agents pose a security challenge because end-users are authenticating in an unidentified window without access to the visual protections offered by many user-agents. Embedded user-agents educate end-user to trust unidentified requests for authentication (making phishing attacks easier to execute). When choosing between implicit and authorization code grant types, the following should be considered: o Native applications that use the authorization code grant type flow SHOULD do so without client password credentials, due to their inability to keep those credentials confidential. o Native applications that use the implicit grant type may offer optimized performance in some scenarios due to reduced network requests o The implicit grant type does not return a refresh token
- [OAUTH-WG] Updated text for Native Apps Chuck Mortimore
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Anthony Nadalin
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Anthony Nadalin
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Lodderstedt, Torsten
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Chuck Mortimore