Re: [OAUTH-WG] Updated text for Native Apps
Anthony Nadalin <tonynad@microsoft.com> Wed, 15 June 2011 17:10 UTC
Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AED0E21F8526 for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 10:10:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.466
X-Spam-Level:
X-Spam-Status: No, score=-7.466 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A40FnMYEikaZ for <oauth@ietfa.amsl.com>; Wed, 15 Jun 2011 10:10:23 -0700 (PDT)
Received: from smtp.microsoft.com (mail3.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 4DECD21F8524 for <oauth@ietf.org>; Wed, 15 Jun 2011 10:10:23 -0700 (PDT)
Received: from TK5EX14HUBC102.redmond.corp.microsoft.com (157.54.7.154) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Wed, 15 Jun 2011 10:10:11 -0700
Received: from AM1EHSOBE003.bigfish.com (157.54.51.113) by mail.microsoft.com (157.54.7.154) with Microsoft SMTP Server (TLS) id 14.1.289.8; Wed, 15 Jun 2011 10:10:10 -0700
Received: from mail117-am1-R.bigfish.com (10.3.201.244) by AM1EHSOBE003.bigfish.com (10.3.204.23) with Microsoft SMTP Server id 14.1.225.22; Wed, 15 Jun 2011 17:10:02 +0000
Received: from mail117-am1 (localhost.localdomain [127.0.0.1]) by mail117-am1-R.bigfish.com (Postfix) with ESMTP id 9EC1111182CE for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 15 Jun 2011 17:10:02 +0000 (UTC)
X-SpamScore: -22
X-BigFish: PS-22(zz9371Mzz1202h1082kzz1033IL8275bh8275dhz31h2a8h668h839h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:157.55.61.146; KIP:(null); UIP:(null); IPV:SKI; H:CH1PRD0302HT003.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail117-am1: transitioning domain of microsoft.com does not designate 157.55.61.146 as permitted sender) client-ip=157.55.61.146; envelope-from=tonynad@microsoft.com; helo=CH1PRD0302HT003.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail117-am1 (localhost.localdomain [127.0.0.1]) by mail117-am1 (MessageSwitch) id 1308157802120022_1335; Wed, 15 Jun 2011 17:10:02 +0000 (UTC)
Received: from AM1EHSMHS018.bigfish.com (unknown [10.3.201.249]) by mail117-am1.bigfish.com (Postfix) with ESMTP id 1738666804B; Wed, 15 Jun 2011 17:10:02 +0000 (UTC)
Received: from CH1PRD0302HT003.namprd03.prod.outlook.com (157.55.61.146) by AM1EHSMHS018.bigfish.com (10.3.206.21) with Microsoft SMTP Server (TLS) id 14.1.225.22; Wed, 15 Jun 2011 17:10:01 +0000
Received: from CH1PRD0302MB115.namprd03.prod.outlook.com ([169.254.1.97]) by CH1PRD0302HT003.namprd03.prod.outlook.com ([10.28.28.161]) with mapi id 14.01.0225.052; Wed, 15 Jun 2011 17:10:00 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Chuck Mortimore <cmortimore@salesforce.com>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Updated text for Native Apps
Thread-Index: AcwfuUhXW2Le+9y8kkuEJ9o0yOMTnALwJeCgAAE6gmA=
Date: Wed, 15 Jun 2011 17:09:59 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E72311DEC3@CH1PRD0302MB115.namprd03.prod.outlook.com>
References: <CA0A7531.1A8EC%cmortimore@salesforce.com> <90C41DD21FB7C64BB94121FBBC2E7234475E986ACE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
In-Reply-To: <90C41DD21FB7C64BB94121FBBC2E7234475E986ACE@P3PW5EX1MB01.EX1.SECURESERVER.NET>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.28.29.112]
Content-Type: multipart/alternative; boundary="_000_B26C1EF377CB694EAB6BDDC8E624B6E72311DEC3CH1PRD0302MB115_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: CH1PRD0302HT003.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%HUENIVERSE.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%SALESFORCE.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14HUBC102.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC102.redmond.corp.microsoft.com
Subject: Re: [OAUTH-WG] Updated text for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2011 17:10:24 -0000
Since Torsten and I had the action item to propose text we will update the text based upon the list and give you back an update From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav Sent: Wednesday, June 15, 2011 9:33 AM To: Chuck Mortimore; oauth@ietf.org Subject: Re: [OAUTH-WG] Updated text for Native Apps Is there an updated text based on the long thread? EHL From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org]<mailto:[mailto:oauth-bounces@ietf.org]> On Behalf Of Chuck Mortimore Sent: Tuesday, May 31, 2011 10:37 AM To: oauth@ietf.org<mailto:oauth@ietf.org> Subject: [OAUTH-WG] Updated text for Native Apps Minor updates for section 9 based upon feedback from the list -cmort ---------------- 9. Native Applications A native application is a client which is installed and executes on the end-user's device (i.e. desktop application, native mobile application). Native applications require special consideration related to security, platform capabilities, and overall end-user experience. The following are examples of how native applications may utilize OAuth: o Initiate an Authorization Request using an external user-agent: The native application can capture the response from the authorization server using a variety of techniques such as the use of a redirection URI identifying a custom URI scheme (registered with the operating system to invoke the native application as handler), manual copy-and-paste, running a local webserver, browser plug-ins, or by providing a redirection URI identifying a server-hosted resource under the native application's control, which in turn makes the response available to the native application. o Initiate an Authorization Request using an embedded user-agent: The native application obtains the response by directly communicating with the embedded user-agent. Techniques include monitoring state changes emitted during URL loading, monitoring http headers, accessing the user-agent's cookie jar, etc. When choosing between launching an external user-agent and an embedding a user-agent, native application developers should consider the following: o External user-agents may improve completion rate as the end-user may already have an active session with the authorization server removing the need to re-authenticate, and provide a familiar user-agent user experience. The end-user may also rely on extensions or add-ons to assist with authentication (e.g. password managers or 2-factor device reader). o Embedded user-agents may offer an improved end-user flow, as they remove the need to switch context and open new windows. o Embedded user-agents pose a security challenge because end-users are authenticating in an unidentified window without access to the visual protections offered by many user-agents. Embedded user-agents educate end-user to trust unidentified requests for authentication (making phishing attacks easier to execute). When choosing between implicit and authorization code grant types, the following should be considered: o Native applications that use the authorization code grant type flow SHOULD do so without client password credentials, due to their inability to keep those credentials confidential. o Native applications that use the implicit grant type may offer optimized performance in some scenarios due to reduced network requests o The implicit grant type does not return a refresh token
- [OAUTH-WG] Updated text for Native Apps Chuck Mortimore
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Anthony Nadalin
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Anthony Nadalin
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Lodderstedt, Torsten
- Re: [OAUTH-WG] Updated text for Native Apps Eran Hammer-Lahav
- Re: [OAUTH-WG] Updated text for Native Apps Chuck Mortimore