Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
Phil Hunt <phil.hunt@oracle.com> Wed, 25 January 2017 18:33 UTC
Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60D4F129AD4 for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 10:33:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.554
X-Spam-Level:
X-Spam-Status: No, score=-8.554 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.156, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JE8I3zPWHb0j for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 10:33:45 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2F03129AD2 for <oauth@ietf.org>; Wed, 25 Jan 2017 10:33:45 -0800 (PST)
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v0PIXhSH002803 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 25 Jan 2017 18:33:44 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v0PIXhQ3003024 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 25 Jan 2017 18:33:43 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v0PIXgLN027758; Wed, 25 Jan 2017 18:33:42 GMT
Received: from dhcp-whq-twvpn-2-vpnpool-10-159-164-183.vpn.oracle.com (/10.159.164.183) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 25 Jan 2017 10:33:42 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail=_7DC075B2-EA34-49F5-8E14-97C5C7322065"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <2fc78923-95a7-7def-3d59-65231f43ad0b@mit.edu>
Date: Wed, 25 Jan 2017 10:33:41 -0800
Message-Id: <E20494E2-CDC1-48D9-B62A-BC28F063E705@oracle.com>
References: <ffc794a133b4b5fb341a0590c6848034@nleyten.com> <2fc78923-95a7-7def-3d59-65231f43ad0b@mit.edu>
To: Justin Richer <jricher@mit.edu>
X-Mailer: Apple Mail (2.3124)
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/mDRvrYm211G51LdLqOSBGoAvlWE>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2017 18:33:47 -0000
There is a problem here that the endpoint definitions for OpenID Connect and OAuth are different depending on whether an app is a client to OIDC OP or OAuth AS. Phil Oracle Corporation, Identity Cloud Services & Identity Standards @independentid www.independentid.com <http://www.independentid.com/>phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > On Jan 25, 2017, at 10:26 AM, Justin Richer <jricher@mit.edu> wrote: > > I would recommend making the mobile app the RP, and having the server be an additional protected resource that accepts access tokens from the mobile app. This is how it's commonly handled, and there are libraries (such as Google's AppAuth) that handle most of these interactions. > > -- Justin > > > On 1/25/2017 9:22 AM, Dario Teixeira wrote: >> Hi, >> >> I am building a mobile app and a server. The mobile app fetches >> user-specific data from the server, and therefore some sort of >> authentication is required. I would like to avoid the traditional >> username+password scheme, and instead allow users to login via >> Google or Facebook. It seems the OAuth2-based OpenID Connect (OIDC) >> is the recommended solution nowadays, so my question is about the >> usage of OAuth2/OIDC in this scenario. >> >> All OIDC docs and tutorials describe the interaction between three >> parties: a Relying Party (RP), a User Agent (UA), and an OIDC >> Provider (OIP). There are however four parties in my scenario: >> the mobile app, the server, the UA, and the OIP. Which should >> take the role of RP? I see two different ways to do this: >> >> 1) The mobile app is the RP. It even takes care of starting a >> small web server to receive the data from the OIP. At the end >> of the interaction, the mobile app has a JWT signed by the OIP, >> which it sends to the server, which must validate it using a >> built-in list of OIP public signatures. >> >> 2) The server is the RP. When the user wishes to login, the mobile >> app asks the server about the OIP's authorization endpoint. >> The server provide the client with an URI whose redirect_uri >> parameter points to the server. All subsequent steps are >> handled by the server. >> >> Anyway, this seems like a fairly common scenario, and I would rather >> follow some best-practices documentation instead of cooking up my >> own schemes, like points 1 and 2 above. Therefore, if there is >> indeed such documentation, could someone please point me towards it? >> And if not, which would be the recommended route, 1 or 2? >> >> Thanks in advance for your attention! >> Best regards, >> Dario Teixeira >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth2/OIDC for client-server mobile a… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Justin Richer
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Brian Campbell
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb