Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
Dario Teixeira <dario.teixeira@nleyten.com> Thu, 26 January 2017 16:51 UTC
Return-Path: <dario.teixeira@nleyten.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA505129881 for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2017 08:51:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tni1WIH_hubY for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2017 08:51:50 -0800 (PST)
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [IPv6:2001:4b98:c:538::194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 522E01297F1 for <oauth@ietf.org>; Thu, 26 Jan 2017 08:51:50 -0800 (PST)
Received: from mfilter49-d.gandi.net (unknown [217.70.178.180]) by relay2-d.mail.gandi.net (Postfix) with ESMTP id 0B574C5A56; Thu, 26 Jan 2017 17:51:49 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter49-d.gandi.net
Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194]) by mfilter49-d.gandi.net (mfilter49-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id lVb38NAJjtWJ; Thu, 26 Jan 2017 17:51:47 +0100 (CET)
X-Originating-IP: 10.58.1.149
Received: from webmail.gandi.net (webmail9-d.mgt.gandi.net [10.58.1.149]) (Authenticated sender: dario.teixeira@nleyten.com) by relay2-d.mail.gandi.net (Postfix) with ESMTPA id CD8CEC5A91; Thu, 26 Jan 2017 17:51:46 +0100 (CET)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Thu, 26 Jan 2017 16:51:46 +0000
From: Dario Teixeira <dario.teixeira@nleyten.com>
To: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAANoGhKON-a22CjHTGe3AsSGR=epFZ_YLpKSt9DzrcZ1fY6mPA@mail.gmail.com>
References: <ffc794a133b4b5fb341a0590c6848034@nleyten.com> <5889010c.06d0620a.31d79.5dd8@mx.google.com> <CA+k3eCQ69_+7JEZN30OpOwfW-cy1Dmu6-K84geLLvrjWxpt=7A@mail.gmail.com> <823CE48E-D778-4704-B13D-B6C302ED14D6@oracle.com> <093116990b28d9837f42a7477fc09d80@nleyten.com> <CAANoGhKON-a22CjHTGe3AsSGR=epFZ_YLpKSt9DzrcZ1fY6mPA@mail.gmail.com>
Message-ID: <be34721f2dbd38434edadcef5658131a@nleyten.com>
X-Sender: dario.teixeira@nleyten.com
User-Agent: Roundcube Webmail/1.1.2
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nFjeCDQCTb6g6HlDiZpW-ZpyTR0>
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2017 16:51:52 -0000
Hi, > https://tools.ietf.org/html/draft-ietf-oauth-native-apps [2] > > They are OpenID foundation library's not Google's. Google, Ping and > a number of others are active contributors if you look at the git > repositories. Thanks for the link. Perhaps I'm missing something, but the AppAuth pattern as described by this document represents only half the picture: at the end of the interaction, the native app is in possession of a token that authenticates the user. However, my server cannot accept that token blindly! Now, the way I would solve this is by keeping a hard-coded list of OpenID Provider public keys on my server, which I would use to verify that the token was indeed signed by the OIP. Correct me if I'm wrong, but this also seems to be the recommended approach, right? Thanks again for your time! Best regards, Dario Teixeira
- [OAUTH-WG] OAuth2/OIDC for client-server mobile a… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Justin Richer
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Brian Campbell
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb