IETF Logo Mail Archive

Re: [OAUTH-WG] popular apps that use appauth?

Dominick Baier <dbaier@leastprivilege.com> Mon, 25 February 2019 11:40 UTC

Return-Path: <dbaier@leastprivilege.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2B8A130EE7 for <oauth@ietfa.amsl.com>; Mon, 25 Feb 2019 03:40:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTRb5Tchyu_U for <oauth@ietfa.amsl.com>; Mon, 25 Feb 2019 03:40:25 -0800 (PST)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CEA6130DC9 for <oauth@ietf.org>; Mon, 25 Feb 2019 03:40:25 -0800 (PST)
Received: by mail-qk1-x733.google.com with SMTP id i5so5009642qkd.13 for <oauth@ietf.org>; Mon, 25 Feb 2019 03:40:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=DvR9fS8f0j+UZ7m8qPAZaoZVo1PRuJDATGszuKQa04M=; b=g8yEo3NF7PrT6ffnJOmOkcYfvGi0NBJfUVNB8jbs9bspS9FeRPU8FY9DROBSyFRf0G jY4WkUKozweHEvEzTRBXaXKXmR/jTdbgVbT0DlFl/Pa/8PK7cCxLAjk8KvO39PAo6ybS m89bPHN0oH6f08qLZ3uVK5yFIg05p91Thz0w8GB28P03vFvr45k42bjIMkRV+3X4JuZO ByhmMPeoygQKp/dVZl+zb5EmKyGYpLpr3HZo9+/9eH4rESxR87y5701paWtS3OQTqf4A h17bjq/Hyi1YvssRr74OMKlhzOKPzbsG7DPeQxdNczo9vrIiXDq52yVE3j2c+2EtjLfX o6Bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=DvR9fS8f0j+UZ7m8qPAZaoZVo1PRuJDATGszuKQa04M=; b=A0ghPmPSqgEA9M6PeLIFPh74/FpEEtWV6rdc8C2U9HrB+Wnm9Yk1MEG8XHLvh6NKlZ gIidEWhDHg7HF23wLa4Fs8nPDBWBvKTEaQJZ1Kh/00NZCmGj9b+wdEAwyn/wpc8D6o+2 D3w736fl+3IhFN0JL2ksAhQI5JGN5trLIRq3Ej0DnzOL5KHDbfFHbOvta/k9v0DxGxDF KMDePv4yR4wsZaCprxZqfXhpo2LERWJU67uiwyWmwaeUBhKKE07ycd10wxfmcHio03gA dSAi7ASKAPYkL5EyTJFYW6YuOMwFf+j32mHt1XnoreoCjZ+r/ZWR9lufj5oI234T25aT rOng==
X-Gm-Message-State: AHQUAuZeGG4oJHNWSSX0TEk4W+tsNYJZHwzLjlOPhFxc6iKsUMv7MApN FUVeNzIbRem2BjRp03BKxkx2fwoMnCow/ASbHdGZfmg57A==
X-Google-Smtp-Source: AHgI3IZ3TKg+xKQRf/NzMOhZBkL//kJHffnPMx2DQk5iNhASTYA+DlnAuuVIJVREMEjAVmeRHotLhZ/IqCaa0ytXmsE=
X-Received: by 2002:a37:a407:: with SMTP id n7mr12880695qke.46.1551094823957; Mon, 25 Feb 2019 03:40:23 -0800 (PST)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Mon, 25 Feb 2019 03:40:22 -0800
From: Dominick Baier <dbaier@leastprivilege.com>
In-Reply-To: <CAO_FVe4Aj16zoqg7L+W=cagKY0S5egf8byaHcXTSFM9tnau5iw@mail.gmail.com>
References: <67bf27b0-e7d6-4710-ba6e-f46809d60d77@getmailbird.com> <CAO7Ng+v7vCy_cnm00YryN11P5JZngm5R51pBJ5+rQYBF43yz1A@mail.gmail.com> <5dda37c0-e3c5-5e64-347b-25d561072232@ve7jtb.com> <c6f71d94-12f4-4f99-b373-c9f815325da1@getmailbird.com> <CAAP42hCO4m=tmj3omgg+EH2CguF_OVocUzbSwnWRnyb2MQZYVQ@mail.gmail.com> <CCD4D46C-E6EC-4FD2-871B-C969756F9552@alkaline-solutions.com> <CAO_FVe4Aj16zoqg7L+W=cagKY0S5egf8byaHcXTSFM9tnau5iw@mail.gmail.com>
MIME-Version: 1.0
Date: Mon, 25 Feb 2019 03:40:22 -0800
Message-ID: <CAO7Ng+tVxwWOFk+frNj-4HTeyQeHownbg4qWgro-xPp_Lo1nqA@mail.gmail.com>
To: Vittorio Bertocci <vittorio=40auth0.com@dmarc.ietf.org>, David Waite <david@alkaline-solutions.com>
Cc: William Denniss <wdenniss=40google.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fecd0e0582b66711"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ieGRVZIXifx1BDXqU9hgqk4VVGw>
Subject: Re: [OAUTH-WG] popular apps that use appauth?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2019 11:40:28 -0000

A good example of a desktop application using browser authentication is
Github for Desktop.

They use custom URLs/callbacks for both OSX and Windows. Works very well.

———
Dominick

On 25. February 2019 at 11:48:20, Vittorio Bertocci (
vittorio=40auth0.com@dmarc.ietf.org) wrote:

Ahh, as John knows this is a big pet peeve for me :)

Although that's all true on mobile, on desktop things are more
complicated.

   - Using a system browser on the desktop (Linux/Mac/Windows) means that
   you don't control the experience (there might be modal dialogs occluding
   the browser or any other Z order windows factors; the browser instance
   might have already other tabs open; the default browser of any particular
   machine can be different; users might need to take steps to get back to the
   app; etc)
   - Use of loopback adapters is banned by many big enterprises on their
   machines
   - The big security advantages of the approach on mobile, where apps are
   all nicely sandboxed, is not as pronounced in an environment where the user
   login session in the machine is the main security boundary (think keylogger
   attaching to the main windows events pump, or a debugger - all stuff not
   possible on mobile but viable on desktops)

True, it would be fantastic if desktop OSes would offer system browser
features comparable to what's available on iOS and Android - but today that
doesn't appear to be the case. And the inability to leverage existing
sessions when using embedded views on the desktop is a true pain. But
judging from the behavior of the most popular desktop apps in market
(Office, Slack, Adobe Reader, Visual Studio, even the Google Drive app for
Mac...) losing the ability to access cookies is less of a nuisance for
users than all of the above. And considering that desktop machines usually
have their own way of identifying devices, that is also not much of a
factor for desktop apps.

The best practice has been discussed for the last 4 years and still all of
the big apps above remain on embedded: it is however telling that the
mobile apps from the same vendors all embraced the system browser approach.
Since the native best practices came out, I have been working with desktop
developers dealing with this cognitive dissonance of the best practice
saying something that is very hard to put in practice. I understand that it
is well intentioned and it is easier to give one single advice for both
mobile and desktop, but while the necessary features and experiences are
lacking on the desktop I am not sure how much of a difference it is making
in that use case.



On Mon, Feb 25, 2019 at 12:59 AM David Waite <david@alkaline-solutions.com>
wrote:

>
> > On Feb 24, 2019, at 10:43 AM, William Denniss <wdenniss=
> 40google.com@dmarc.ietf.org> wrote:
> >
> > For 1P sign-in, there are several good reasons to go with
> ASWebAuthenticationSession, like syncing the signed-in session with Safari
> and using it if it already exists.
>
> With enterprise 3P, you’ll have to use some web agent for authentication
> pretty much no matter what, and you’ll almost certainly get pressure to use
> ASWebAuthenticationSession, and/or potentially lose deals to competitors
> during product evaluations. It is simply what is required for robust
> integration into a corporate infrastructure.
>
> For 1P on iOS, it depends on the complexity of authentication for first
> party. If you are just doing password and maybe SMS-based challenges, there
> is decent enough native app integration for password sharing and SMS
> keyboard for that to keep conversions high, even with having to
> authenticate twice.
>
> However, if you want to authenticate the device (even pseudonymously with
> session cookies) or do other factors, the authentication is simpler with
> ASWebAuthenticationSession. Which means your life will be easier if you
> have more complex authentication requirements anywhere on your roadmap to
> just start off using ASWebAuthenticationSession.
>
> It is likely that future authentication technologies like WebAuthn will
> not work with an embedded web view. The ability to arbitrarily inject
> javascript means that apps can phish webauthn responses for domains via
> embedded web views.
>
> -DW
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email