Re: [OAUTH-WG] client secret used in Native App profile
Marius Scurtescu <mscurtescu@google.com> Fri, 25 June 2010 07:22 UTC
Return-Path: <mscurtescu@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 02CBA3A6915 for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 00:22:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.276
X-Spam-Level:
X-Spam-Status: No, score=-105.276 tagged_above=-999 required=5 tests=[AWL=0.701, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VBfAYBwlZNws for <oauth@core3.amsl.com>; Fri, 25 Jun 2010 00:22:51 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id 0F9D23A6846 for <oauth@ietf.org>; Fri, 25 Jun 2010 00:22:50 -0700 (PDT)
Received: from wpaz21.hot.corp.google.com (wpaz21.hot.corp.google.com [172.24.198.85]) by smtp-out.google.com with ESMTP id o5P7MxcX003206 for <oauth@ietf.org>; Fri, 25 Jun 2010 00:22:59 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1277450579; bh=kUZz0unrRF+eBWtyYlHH0XWHt3k=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type:Content-Transfer-Encoding; b=wpLzVjwywgvxPjsCuChqIaI9wM07yjtVCRMhq+ArvLV2P/pELtu5Zeru+59Eq+iLz HrcNdgK6Tv6DfTVfevkDw==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:from:date:message-id: subject:to:cc:content-type:content-transfer-encoding:x-system-of-record; b=oWgngC3U327j0llyPDf8Yhd/GbvjYFQqL3mYFLhEC5wpSjvDCoOphDFw1qtu3GnT4 8IwCwYRhjY0ldc5clBgEg==
Received: from gwj21 (gwj21.prod.google.com [10.200.10.21]) by wpaz21.hot.corp.google.com with ESMTP id o5P7MvZj020496 for <oauth@ietf.org>; Fri, 25 Jun 2010 00:22:58 -0700
Received: by gwj21 with SMTP id 21so2843944gwj.22 for <oauth@ietf.org>; Fri, 25 Jun 2010 00:22:57 -0700 (PDT)
Received: by 10.100.16.4 with SMTP id 4mr448503anp.2.1277450576232; Fri, 25 Jun 2010 00:22:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.101.132.22 with HTTP; Fri, 25 Jun 2010 00:22:35 -0700 (PDT)
In-Reply-To: <AANLkTikbz5zmILsegGXoj6YjdC8h4TPfscqDMqFCB7l-@mail.gmail.com>
References: <AANLkTikbz5zmILsegGXoj6YjdC8h4TPfscqDMqFCB7l-@mail.gmail.com>
From: Marius Scurtescu <mscurtescu@google.com>
Date: Fri, 25 Jun 2010 00:22:35 -0700
Message-ID: <AANLkTimvvwzUhCBS3Nlq6Q5odfGTJkv-AYGoUGfS47SJ@mail.gmail.com>
To: Brian Dunnington <briandunnington@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] client secret used in Native App profile
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Jun 2010 07:22:52 -0000
I think the main difference is that User-Agent clients (aka JavaScript clients) cannot store a secret while Native Apps can safely store a secret, but the secret cannot be distributed (or, even if it can be distributed, it may not have much value). The difference is important. Each native app instance could require a registration phase that would provide a unique secret and possibly Id. This registration phase could be completely automatic or could involve the end user. There have been proposals for both. How much value there is in such a registration is not clear to me. Marius On Thu, Jun 24, 2010 at 6:50 PM, Brian Dunnington <briandunnington@gmail.com> wrote: > In the 'User-Agent' profile, it says: > > "This user-agent profile does not utilize the client secret since the > client executables reside on the end-user's computer or device which > makes the client secret accessible and exploitable" > > However, the 'Native Apps' profile does not include such verbiage and > in fact specifically requires the use of the client secret. Native > apps' executables also reside on the end-user's computer or device, > making the client secret just as accessible and exploitable, so why > the difference? > > Specifically, as a native app developer, there is no good (secure) way > to distribute the client secret without it being compromised. Any > open-source application would have even more problems keeping their > secret secure, but even complied apps are easily exploitable. in this > scenario, there is no single, secure repository to keep the client > secret safe, so I would expect that the requirement of the client > secret for native apps be removed and made conformant with the > user-agent profile. > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] client secret used in Native App profi… Brian Dunnington
- Re: [OAUTH-WG] client secret used in Native App p… Marius Scurtescu
- Re: [OAUTH-WG] client secret used in Native App p… Bouiaw
- Re: [OAUTH-WG] client secret used in Native App p… Brian Dunnington
- Re: [OAUTH-WG] client secret used in Native App p… Eran Hammer-Lahav