Re: [OAUTH-WG] popular apps that use appauth?
David Waite <david@alkaline-solutions.com> Tue, 26 February 2019 00:57 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A322D12E7C1 for <oauth@ietfa.amsl.com>; Mon, 25 Feb 2019 16:57:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 162hkHPoNTgr for <oauth@ietfa.amsl.com>; Mon, 25 Feb 2019 16:57:19 -0800 (PST)
Received: from alkaline-solutions.com (lithium5.alkaline-solutions.com [173.255.196.46]) by ietfa.amsl.com (Postfix) with ESMTP id 0768912E036 for <oauth@ietf.org>; Mon, 25 Feb 2019 16:57:18 -0800 (PST)
Received: from [IPv6:2601:282:202:b210:8868:dfd:fd8a:935c] (unknown [IPv6:2601:282:202:b210:8868:dfd:fd8a:935c]) by alkaline-solutions.com (Postfix) with ESMTPSA id 1E77931682; Tue, 26 Feb 2019 00:57:18 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.2\))
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <CAO_FVe7h6nG2E5jNxv6exNS9Y527D13ScXKydd-ateYFmi51QQ@mail.gmail.com>
Date: Mon, 25 Feb 2019 17:57:17 -0700
Cc: Dominick Baier <dbaier@leastprivilege.com>, William Denniss <wdenniss@google.com>, oauth <oauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <11F45020-9D49-4BF7-882B-9A1F8C47B8E4@alkaline-solutions.com>
References: <67bf27b0-e7d6-4710-ba6e-f46809d60d77@getmailbird.com> <CAO7Ng+v7vCy_cnm00YryN11P5JZngm5R51pBJ5+rQYBF43yz1A@mail.gmail.com> <5dda37c0-e3c5-5e64-347b-25d561072232@ve7jtb.com> <c6f71d94-12f4-4f99-b373-c9f815325da1@getmailbird.com> <CAAP42hCO4m=tmj3omgg+EH2CguF_OVocUzbSwnWRnyb2MQZYVQ@mail.gmail.com> <CCD4D46C-E6EC-4FD2-871B-C969756F9552@alkaline-solutions.com> <CAO_FVe4Aj16zoqg7L+W=cagKY0S5egf8byaHcXTSFM9tnau5iw@mail.gmail.com> <CAO7Ng+tVxwWOFk+frNj-4HTeyQeHownbg4qWgro-xPp_Lo1nqA@mail.gmail.com> <CAO_FVe7h6nG2E5jNxv6exNS9Y527D13ScXKydd-ateYFmi51QQ@mail.gmail.com>
To: Vittorio Bertocci <Vittorio@auth0.com>
X-Mailer: Apple Mail (2.3445.104.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eUU7KBoayTcBugWccE9OkuMjgTo>
Subject: Re: [OAUTH-WG] popular apps that use appauth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Feb 2019 00:57:21 -0000
> On Feb 25, 2019, at 4:56 AM, Vittorio Bertocci <Vittorio@auth0.com> wrote: > > The callbacks do avoid the loopback, which is great, but the usability remains harder than mobile and the embedded case: the auth tab appears among others, the modal windows remain a possibility, etc - the level of sophistication of the target audience of the github app can definitely (hopefully?) navigate those challenges, but for consumer grade apps they can be blockers. When decision makers are presented with concrete support costs from customer calls vs possible security issues, it's often hard to make a case for the latter. True, but these were all a reality when AppAuth first came about as well - the fall-back was custom URL schemes through the system browser, which meant an application switch, a new tab, a possible modal prompt to get the user back to the application, etc. It is a harder problem on desktop operating systems because it is more challenging to decide if “external user-agent” always means “system browser” or “user default web browser”, and if the latter that means a testing matrix to understand the UX and limitations. Hypothetically, in some enterprises external user-agent might even mean “this security product we bought”. However, we will see more mandatory sandboxing and hard-to-obtain entitlements necessary to talk to the resources we want for authentication. If you are only doing 1P authentication you have a longer runway than a company who wants to leverage third party or enterprise-deployed authentication. And to optimize the UX, those applications may have a period where they decide to include both AppAuth and non-AppAuth flows. -DW
- [OAUTH-WG] popular apps that use appauth? Brock Allen
- Re: [OAUTH-WG] popular apps that use appauth? Dominick Baier
- Re: [OAUTH-WG] popular apps that use appauth? David Waite
- Re: [OAUTH-WG] popular apps that use appauth? John Bradley
- Re: [OAUTH-WG] popular apps that use appauth? Brock Allen
- Re: [OAUTH-WG] popular apps that use appauth? William Denniss
- Re: [OAUTH-WG] popular apps that use appauth? David Waite
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? John Bradley
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? Dominick Baier
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? Vittorio Bertocci
- Re: [OAUTH-WG] popular apps that use appauth? John Bradley
- Re: [OAUTH-WG] popular apps that use appauth? David Waite