Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call for Adoption Finalized

Thomas Broyer <t.broyer@gmail.com> Tue, 16 February 2016 08:23 UTC

Return-Path: <t.broyer@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9CF21A90CF for <oauth@ietfa.amsl.com>; Tue, 16 Feb 2016 00:23:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h_dCNwPkXQGd for <oauth@ietfa.amsl.com>; Tue, 16 Feb 2016 00:23:05 -0800 (PST)
Received: from mail-lf0-x22f.google.com (mail-lf0-x22f.google.com [IPv6:2a00:1450:4010:c07::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 928561A88BC for <oauth@ietf.org>; Tue, 16 Feb 2016 00:23:04 -0800 (PST)
Received: by mail-lf0-x22f.google.com with SMTP id j78so103312665lfb.1 for <oauth@ietf.org>; Tue, 16 Feb 2016 00:23:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=A6kEIuWl8S5vKmGOFWrfYE1tOsJpKGoAKDOr8ryYQUA=; b=pEfK1MSOojHxD3UAOQTIISSPem0+LI4vqxMnSHjtJ6j13GGzVxkhAhsFI2JfIEKBcg RRDwRzF43pI0QXFpfQRK8iVxHUqnwAyM/trbaEe9Q3O7+wrOEW9j3omH7hRkvOOaE2f8 pJZd089iYES69doUe9DbPB91R0bazghcEQJpn+7JTI5yuP7lflv2gGacN8NYuMaIRDXL VT3RQ1LdtPFAyXs9IobckyvpI1Q4esk4zZiH+hhnGDiCoUJGaYFvgGjygekFAtGh5QaL u7FRbC0VAf0rNEPLmI6S0NfskBgQseHk5LfcZoM2I4how33b2R4Wipt+aMGOoJVTOhLE vX2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=A6kEIuWl8S5vKmGOFWrfYE1tOsJpKGoAKDOr8ryYQUA=; b=Eekp/vRjdJVpb71dzKUMC/quSmOZC2iA1nfTDF5Eg9+mbeLGVfuRTY188NrDglXPQm q57UApS84qrzaQ2IstTvyOOKLUe53VYZn32XrWa+0x1izgRNb1moEGFM1E80QaXtd330 tDEt0cJ1JmQviT0iaI5WAHrrilZruZPrYMEh2cA15UxXLc+WcSPfIWPe1HFoTRRehLCH q+0l6dHsZ7tTgvDpaHbuvYtaFDMZ+V0WAHQAG/2v5qZIAHTyRUXNkV0yymoVdOZcKzuE G63stfXB41cunMyJ3WJogezFBYWGVjQuAPK0WN2QCZ9mtxX45s9AMo5gYthtGQ2EBGEU w5rQ==
X-Gm-Message-State: AG10YOR1x8zEuRRGSFuypYh4izIGNCUZUW1cygM3Fql969PEG+DhyIzjMIljmwFY3hNqEsAhd59EOgbXX0LRng==
X-Received: by 10.25.148.208 with SMTP id w199mr9014513lfd.124.1455610982779; Tue, 16 Feb 2016 00:23:02 -0800 (PST)
MIME-Version: 1.0
References: <56B3A400.2080606@gmx.net> <62D1E1DB-17A4-4ABD-81F3-8659F40D7E88@mit.edu> <CAOahYUxSMopc0hoXG8ocMk+p1b__NqapuztuHiWchpYRQqvP2w@mail.gmail.com> <CAD_eRaFsFsbDYPXbrkpMk+uM9gwyh31N0kr2hEJb_2ai8DD+Ug@mail.gmail.com>
In-Reply-To: <CAD_eRaFsFsbDYPXbrkpMk+uM9gwyh31N0kr2hEJb_2ai8DD+Ug@mail.gmail.com>
From: Thomas Broyer <t.broyer@gmail.com>
Date: Tue, 16 Feb 2016 08:22:52 +0000
Message-ID: <CAEayHEPVpt-zOp5oAV3oXHehMxFBfNSAKav4Op89EzC-WDy=kg@mail.gmail.com>
To: Eduardo Gueiros <egueiros@jive.com>, Adam Lewis <adam.lewis@motorolasolutions.com>
Content-Type: multipart/alternative; boundary=001a1140234c8f514c052bded748
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/exiNSD7I3KsAoLpkg9Ji-A3E2PQ>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth 2.0 for Native Apps: Call for Adoption Finalized
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2016 08:23:07 -0000

Fwiw, French govt's FranceConnect, which uses OpenID Connect, has sample
apps using web views, and not using PKCE :-( (haven't looked in more
details; don't know whether their AS supports PKCE).
I just implemented PKCE in Ozwillo 10 days ago after reading this doc. I
still have some work to do to properly support native apps though, and then
I could build a sample app.

Le mar. 16 févr. 2016 00:18, Eduardo Gueiros <egueiros@jive.com> a écrit :

> +1 Being in the mobile space myself and constantly meeting with native app
> developers I've heard my share of horror stories on how OAuth was
> implemented, myself being guilty of being "creative" around OAuth.
>
> This draft is be of great value to those of us who are around these
> developers, we'll be helping bringing awareness about the correct practices
> suggested in the document.
>
> On Fri, Feb 5, 2016 at 8:10 AM, Adam Lewis <
> adam.lewis@motorolasolutions.com> wrote:
>
>> +1 that it should be Informational.
>>
>> Also, I never got to respond to the original request, but I am heavily in
>> favor of this draft. I talk with a lot of native app developers who are
>> clueless about how to implement OAuth.  The core RFC is very web app
>> oriented.  I look forward to having a more profiled RFC to point them to :-)
>>
>> adam
>>
>> On Thu, Feb 4, 2016 at 7:13 PM, Justin Richer <jricher@mit.edu> wrote:
>>
>>> I’d like to note that when Tony brought up it being Experimental on the
>>> list, several of us (myself included) pointed out that Informational is the
>>> correct designation for this specification.
>>>
>>>  — Justin
>>>
>>> > On Feb 4, 2016, at 2:18 PM, Hannes Tschofenig <
>>> hannes.tschofenig@gmx.net> wrote:
>>> >
>>> > Hi all,
>>> >
>>> > On January 19th I posted a call for adoption of the OAuth 2.0 for
>>> Native
>>> > Apps specification, see
>>> > http://www.ietf.org/mail-archive/web/oauth/current/msg15400.html
>>> >
>>> > There was very positive feedback during the Yokohama IETF meeting to
>>> > work on this document in the OAuth working group. More than 10 persons
>>> > responded positively to the call on the mailing list as well.
>>> >
>>> > Several persons provided additional input for content changes during
>>> the
>>> > call and here are the relevant links:
>>> > http://www.ietf.org/mail-archive/web/oauth/current/msg15434.html
>>> > http://www.ietf.org/mail-archive/web/oauth/current/msg15435.html
>>> > http://www.ietf.org/mail-archive/web/oauth/current/msg15438.html
>>> >
>>> > Tony also noted that this document should become an Experimental RFC
>>> > rather than a Standards Track RFC. The chairs will consult with the
>>> > Security Area directors on this issue.
>>> >
>>> > To conclude, based on the call <draft-wdenniss-oauth-native-apps> will
>>> > become the starting point for work in OAuth. Please submit the document
>>> > as draft-ietf-oauth-native-apps-00.txt.
>>> >
>>> > Ciao
>>> > Hannes & Derek
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > OAuth mailing list
>>> > OAuth@ietf.org
>>> > https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>
>
> --
> --
> *Eduardo Gueiros*
> *Director, Mobile B.U.* |  Jive Communications, Inc.
> jive.com  |  *egueiros@jive.com <egueiros@jive.com>*
> <http://www.facebook.com/jive.communications.inc>
> <http://www.twitter.com/getjive> <http://goplus.us/jive>
> <http://www.youtube.com/jivetalks>
> <http://www.linkedin.com/company/jive-communications-inc>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>