Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps

William Denniss <wdenniss@google.com> Thu, 21 January 2016 06:11 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF7C31B3016 for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 22:11:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.39
X-Spam-Level:
X-Spam-Status: No, score=-1.39 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, GB_I_LETTER=-2, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iQg_5zq3kLLd for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 22:11:23 -0800 (PST)
Received: from mail-oi0-x232.google.com (mail-oi0-x232.google.com [IPv6:2607:f8b0:4003:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C33D31B3014 for <oauth@ietf.org>; Wed, 20 Jan 2016 22:11:22 -0800 (PST)
Received: by mail-oi0-x232.google.com with SMTP id w75so20399511oie.0 for <oauth@ietf.org>; Wed, 20 Jan 2016 22:11:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=iYEwXqWvquqFUfcq4IluohP3xM//nVIz934IwsOgUk4=; b=iR3UMM0s6C93QIwHlZlF4H5OFUHK/UnRSNQXO+5jGiiJpDBYZzKEJFX5P4Kdx8aelX txDg6NUml+9VAt7hONfDdY0j5P8ldJFGB0HoUaJ/JuYa6IlLEofneNjFnhE7Ln9QUOnk TligTGM8LDTrdtYdxSXDladLaQE49Daw7OkqNHm+ZMsEbMdA2NKSM4d2cjtB5wbCmVF8 jZrA5vsx8ph2+vZ7OcPd/B2o37I46YJ4qZ1KttNlSg2sJd6+nOwpgyvQBaoYNt8WFqQa FfNh/R94Hmg/0jCAvbq4+37paDhMOKyEfhyZvdTAxK73Jp5yHVz3N0tvQWKqj4E2HF3h YWMA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=iYEwXqWvquqFUfcq4IluohP3xM//nVIz934IwsOgUk4=; b=kr+ToBdAHt8SMmzy642ZYYCXm2w2QwXNZXnP3vZw8DwcBhszFvHL2zSrzRmhuQGn+T KMhfvjgAJe9IqfF3aYv9xMyvhjd+0y5UEqZtKGpdICv49O69REr3kDu6EOzZTVSq9A4E G3Jk9SSSVz/N4/350Elpr/TqnHNZ9L3bacYzQ0cZ2ZQTKmh0wZ1g0Xu92co+7jp3ko9u 5D3s+a/JrUZml03Qz4fn7YvHo4RRGpOx2N/zFn6ilZNubUYWBw1BAOQYSSdN/J0qHhbC sYb0DMR98CT69rBmepEIYcL9sp1X2cULmBCiRS0Et7PxRzgFftrcvQylxDT4dx6nE9YI kTRw==
X-Gm-Message-State: ALoCoQk7ctrCZ2OR77KxIJdF01fUYF92ebvb67vCTyi6WGEcksYoW0rFbzQFx3Af+c5jFg9D4/xogR9ZeCcjdJbIU2JpBxk+3CAnaGy157aqWrZMwCeQNZU=
X-Received: by 10.202.226.141 with SMTP id z135mr29482628oig.21.1453356681761; Wed, 20 Jan 2016 22:11:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.182.227.39 with HTTP; Wed, 20 Jan 2016 22:11:02 -0800 (PST)
In-Reply-To: <BN3PR0301MB1234046860E5CD9E774DB473A6C30@BN3PR0301MB1234.namprd03.prod.outlook.com>
References: <569E2231.1010107@gmx.net> <CAGBSGjpwZ929ZZHYiNpvqLvMDBrVFWaffZLQPwZn_xj7phsrpw@mail.gmail.com> <6ADAA1B5-7EF9-49EA-A3D9-6EFC57275EB9@ve7jtb.com> <CA+k3eCS1ifU+QJyFtA=gOjSneg3Vh=3bf0CjnEijKTy=-9_xsw@mail.gmail.com> <E0918F9D-CA19-47F7-9A87-EBBA55A0B481@ve7jtb.com> <CABzCy2BKZ-2GXrgD7FuvTSQ9DB2xYU1URDMBTpmhdG-NwMDc7A@mail.gmail.com> <9062E913-39FB-4610-80FE-70796CBDEAC1@ve7jtb.com> <BN3PR0301MB1234046860E5CD9E774DB473A6C30@BN3PR0301MB1234.namprd03.prod.outlook.com>
From: William Denniss <wdenniss@google.com>
Date: Thu, 21 Jan 2016 14:11:02 +0800
Message-ID: <CAAP42hDF4XKcyqOpNxMCfs=HLh46QNOk-octWda2bMiJHMXR4Q@mail.gmail.com>
To: Anthony Nadalin <tonynad@microsoft.com>
Content-Type: multipart/alternative; boundary=001a11408cf8bffef40529d1f858
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/eGEhh7TgH4Gwf6e3dreFXaIgK38>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jan 2016 06:11:27 -0000

I believe this is important work.

The original OAuth 2 spec left the topic of native apps largely undefined
which is fair enough, the mobile-first revolution had yet to really take
hold and people didn't have much implementation experience for OAuth on
mobile. But we've come a long way since then, we have the experience now
and I think there is a need for leadership in this space, and that it makes
sense for the OAUTH-WG to continue our work and provide that leadership.

The risk of not defining a best practice for native apps is dilution of the
open standards – if everyone implements OAuth differently for native apps,
and RPs have to write IDP-specific code then what is the point of having
OAuth as a standard in the first place? Security is a major concern as
well, there are a lot of ways to mess this up and the security situation
for OAuth in many native apps is not nearly as good as it could be.

By providing leadership in the form of a working group document, we can
present community advice with the hope that IDPs and RPs alike will follow
our recommendations, resulting in more interoperability, better usability
and higher security.

The best part about this spec is that it's pure OAuth! Just wrapped with
some native app specific recommendations for both RPs and IDPs, to achieve
the desired levels of usability and security on mobile.

I will point out that we have rough consensus and running code. The rough
consensus can be seen from the WG votes, and the sentiment on this thread
(your dissenting opinion notwithstanding). Regarding running code, my team
is in the process of open sourcing libraries that will implement this best
practice to the letter (and the code's already running, I assure you). The
proprietary Google Sign-in and Facebook Sign-in SDKs are also using in-app
browser tabs for OAuth flows in production today, which I think is further
evidence that this is a viable pattern.

This document and proposal was never part of the OpenID working group that
you refer to below.

I'm not saying the document is perfect, and it is definitely in need of an
update! But I'm committed to listening to the community and taking it
forward. Now that the dependencies have launched, and our library
implementations are done, I plan to update the doc with the feedback from
this community, and the lessons we and others have learnt from our
implementations.

I hope the working group will consider adopting this document.

Kind Regards,
William


On Thu, Jan 21, 2016 at 12:33 PM, Anthony Nadalin <tonynad@microsoft.com>
wrote:

> This work had many issues in the OpenID WG where it failed why should this
> be a WG item here ? The does meet the requirements for experimental, there
> is a fine line between informational and experimental, I would be OK with
> either but prefer experimental, I don’t think that this should become a
> standard.
>
>
>
> *From:* OAuth [mailto:oauth-bounces@ietf.org] *On Behalf Of *John Bradley
> *Sent:* Wednesday, January 20, 2016 12:11 PM
> *To:* Nat Sakimura <sakimura@gmail.com>
> *Cc:* oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps
>
>
>
> PS as you probably suspected I am in favour of moving this forward.
>
>
>
>
>
> On Jan 20, 2016, at 5:08 PM, Nat Sakimura <sakimura@gmail.com> wrote:
>
>
>
> +1 for moving this forward.
>
> 2016年1月21日木曜日、John Bradley<ve7jtb@ve7jtb.com>さんは書きましたは書きました:
>
> Yes more is needed.   It was theoretical at that point.  Now we have
> implementation experience.
>
>
>
> On Jan 20, 2016, at 3:38 PM, Brian Campbell <bcampbell@pingidentity.com>
> wrote:
>
>
>
> There is
> https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-00#appendix-A
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftools.ietf.org%2fhtml%2fdraft-wdenniss-oauth-native-apps-00%23appendix-A&data=01%7c01%7ctonynad%40microsoft.com%7cfd93a3d44152476b186e08d321d5d579%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=JWJmgLNPYe96GHUu67JZ1xdUN3T3c7kDNLQc8wniaDQ%3d>
> which has some mention of SFSafariViewController and Chrome Custom Tabs.
>
> Maybe more is needed?
>
>
>
> On Wed, Jan 20, 2016 at 10:45 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> Yes, in July we recommended using the system browser rather than WebViews.
>
>
>
>
> About that time Apple announced Safari view controller and Google Chrome
> custom tabs.   The code in the OS is now stable and we have done a fair
> amount of testing.
>
>
>
> The OIDF will shortly be publishing reference libraries for iOS and
> Android to how how to best use View Controllers, and PKCE in native apps on
> those platforms.
>
>
>
> We do need to update this doc to reflect what we have learned in the last
> 6 months.
>
>
>
> One problem we do still have is not having someone with Win 10 mobile
> experience to help document the best practices for that platform.
>
> I don’t understand that platform well enough yet to include anything.
>
>
>
> John B.
>
>
>
> On Jan 20, 2016, at 12:40 PM, Aaron Parecki <aaron@parecki.com> wrote:
>
>
>
> The section on embedded web views doesn't mention the new iOS 9
> SFSafariViewController which allows apps to display a system browser within
> the application. The new API doesn't give the calling application access to
> anything inside the browser, so it is acceptable for using with OAuth
> flows. I think it's important to mention this new capability for apps to
> leverage since it leads to a better user experience.
>
>
>
> I'm sure that can be addressed in the coming months if this document is
> just the starting point.
>
>
>
> I definitely agree that a document about native apps is necessary since
> the core leaves a lot of guessing room for an implementation.
>
>
>
> For reference,
> https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_26
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fdeveloper.apple.com%2flibrary%2fprerelease%2fios%2freleasenotes%2fGeneral%2fWhatsNewIniOS%2fArticles%2fiOS9.html%23%2f%2fapple_ref%2fdoc%2fuid%2fTP40016198-DontLinkElementID_26&data=01%7c01%7ctonynad%40microsoft.com%7cfd93a3d44152476b186e08d321d5d579%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=hQ6JGBJjX%2fwm36N6MpGeXbNQzwJaf6G6eyGxRVQH4ZA%3d>
>
>
>
> And see the attached screenshot for an example of what it looks like.
>
>
>
> <embedded-oauth-view.png>
>
>
> ----
>
> Aaron Parecki
>
> aaronparecki.com
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2faaronparecki.com%2f&data=01%7c01%7ctonynad%40microsoft.com%7cfd93a3d44152476b186e08d321d5d579%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=S5aoD2X1pzBvy3qsEfPfyDCY0SQRqN7J6M%2fDLJz%2fUew%3d>
>
> @aaronpk
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftwitter.com%2faaronpk&data=01%7c01%7ctonynad%40microsoft.com%7cfd93a3d44152476b186e08d321d5d579%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=nEN2jz2zsIWlcJ%2bSWotUH8oLPFJ8ii4o49G0cEHYmQo%3d>
>
>
>
>
>
> On Tue, Jan 19, 2016 at 3:46 AM, Hannes Tschofenig <
> hannes.tschofenig@gmx.net> wrote:
>
> Hi all,
>
> this is the call for adoption of OAuth 2.0 for Native Apps, see
> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fdatatracker.ietf.org%2fdoc%2fdraft-wdenniss-oauth-native-apps%2f&data=01%7c01%7ctonynad%40microsoft.com%7cfd93a3d44152476b186e08d321d5d579%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=2cQwLQLkCiFWxIIav5TMZFe5VFE%2bXrc3OQq46q0D0U8%3d>
>
> Please let us know by Feb 2nd whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
>
> Note: If you already stated your opinion at the IETF meeting in Yokohama
> then you don't need to re-state your opinion, if you want.
>
> The feedback at the Yokohama IETF meeting was the following: 16 persons
> for doing the work / 0 persons against / 2 persons need more info
>
> Ciao
> Hannes & Derek
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7cfd93a3d44152476b186e08d321d5d579%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=m5%2f3yd6Jtwu0mVOejfZi1BQsYtBZ0WjfHTaC4g9GmK0%3d>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7cfd93a3d44152476b186e08d321d5d579%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=m5%2f3yd6Jtwu0mVOejfZi1BQsYtBZ0WjfHTaC4g9GmK0%3d>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2foauth&data=01%7c01%7ctonynad%40microsoft.com%7cfd93a3d44152476b186e08d321d5d579%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=m5%2f3yd6Jtwu0mVOejfZi1BQsYtBZ0WjfHTaC4g9GmK0%3d>
>
>
>
>
>
>
>
> --
> Nat Sakimura (=nat)
>
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> <https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2fnat.sakimura.org%2f&data=01%7c01%7ctonynad%40microsoft.com%7cfd93a3d44152476b186e08d321d5d579%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=LKjUffXFJjc4HJqcwkgWINQK65ASdL29nfenSiJspjA%3d>
> @_nat_en
>
>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>