IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app

<ve7jtb@ve7jtb.com> Thu, 26 January 2017 15:38 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E383D1296D2 for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2017 07:38:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ve7jtb-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bp1FPMTH6lZQ for <oauth@ietfa.amsl.com>; Thu, 26 Jan 2017 07:38:25 -0800 (PST)
Received: from mail-pf0-x235.google.com (mail-pf0-x235.google.com [IPv6:2607:f8b0:400e:c00::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 36DBC1296D1 for <oauth@ietf.org>; Thu, 26 Jan 2017 07:38:25 -0800 (PST)
Received: by mail-pf0-x235.google.com with SMTP id e4so65939688pfg.1 for <oauth@ietf.org>; Thu, 26 Jan 2017 07:38:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=message-id:mime-version:to:cc:from:subject:date:importance :in-reply-to:references; bh=UExVGCnDKcDCX37yqVPi9xbza6VD8fEswAYqjDUIVHI=; b=L7/O//ptsyQdKHhstoqt6i0kv0xXdkrXWvzw4VQCJ7kXv7OBv8N62nYVEbjAc+MtD3 51JrFypAdJXlW0Zvk+qKNdcQABTZSYFySY+XkcQl40+SXMWfIpGkB2DD3DPQYfaTiruo MXI/3qy7o69UOiDAuyhkzuoNC7pqgF7GEElcauLKVUZcyqCOJIfpEoD/weUx4A9TfpKR KsPxhsQwRVzA4aM2KSioUvT3JWaF5tJLICQVzJmhJqhXLxeo6J3uYcA66vgezYZdTtS/ 49sxGO46wESRWp4cJkU9OqIfMJ41pjT9JDog/aSxFLZLL717IDT9Op3q/VKDHTzuWGmj 3mqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:mime-version:to:cc:from:subject:date :importance:in-reply-to:references; bh=UExVGCnDKcDCX37yqVPi9xbza6VD8fEswAYqjDUIVHI=; b=PJHJCJBv7VCrJX/ygBq+plFM1jLR1bs0sZijeXxHIPIJrPLVUfEoRJRzbn29igYBe1 axPw7WtOxoZh7PFML+u1CUia/mRpodsyD0ogBsHXIV3ePIj8Jz3uTCHNtmN7+/uS3xgV gLIubg6wf/Ua1piYEkfJtRi2UnceiO8hnnlEU7QTKjH2f+jFpA+fCHATYd0enk9oSXnl Edo45+yqs4PoPJcR4EywHhs5c03zL7Lk2NHlWkMjnoJs2fZx4iBzrjep8Tve9zIaozbA gecJp+CxVp7jpZTzX0mlVmhfvkB8b41rCkYAC7R3pv/oxb4oaDAMqX0zSnvxhXfoXBev p4nQ==
X-Gm-Message-State: AIkVDXJGXYQ7KuWh8gqt3f6ViQl0n73CX50/1yj2/rms9X9AAxqneWOpCGMtQwfaCSfeXGzZ
X-Received: by 10.99.60.76 with SMTP id i12mr3727878pgn.170.1485445104590; Thu, 26 Jan 2017 07:38:24 -0800 (PST)
Received: from ?IPv6:2001:569:7128:2400:7d1e:7c4e:5cfd:28bc? (node-1w7jr9qhemndc5lwqk1n37ovw.ipv6.telus.net. [2001:569:7128:2400:7d1e:7c4e:5cfd:28bc]) by smtp.gmail.com with ESMTPSA id a24sm4412941pfh.33.2017.01.26.07.38.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jan 2017 07:38:23 -0800 (PST)
Message-ID: <588a17ef.18d4620a.cd88d.c109@mx.google.com>
MIME-Version: 1.0
To: Dario Teixeira <dario.teixeira@nleyten.com>
From: ve7jtb@ve7jtb.com
Date: Thu, 26 Jan 2017 07:38:23 -0800
Importance: normal
X-Priority: 3
In-Reply-To: <71dcfb6cdbaa14f8d70db92ac7843d84@nleyten.com>
References: <ffc794a133b4b5fb341a0590c6848034@nleyten.com> <5889010c.06d0620a.31d79.5dd8@mx.google.com> <71dcfb6cdbaa14f8d70db92ac7843d84@nleyten.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="f403045c562ace883805470123d1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nZZ-euLBZGbczSGRjZ4GpRs7yD8>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2017 15:38:28 -0000

Unfortunately RFC 6749  lacks a terminology section.

>From Connect we have http://openid.net/specs/openid-connect-core-1_0.html#Terminology

(AS) is a common abbreviation for Authorization server.

In sec 1.1 of OAuth https://tools.ietf.org/html/rfc6749#section-1.1

Roles are defined Client and authorization server.

Given that we have two sorts of clients one as defined by OAuth that is doing authorization only and one using the Connect extensions that is additionally doing Authentication I refer to them as OAuth client and Connect client.   A connect client being a OAuth client using the Connect extensions for authentication (id_token etc).

The connect spec calls it a client and as it is the connect spec the connect part is implied.

OpenID Provider (OP) is a term going back to OpenID 1.   Generic identity standards like SP-800-63-3 https://pages.nist.gov/800-63-3/sp800-63-3.html#sec3  Use the term Identity Providers (IdP) to refer to servers providing federated identity using any protocol.
(Note to NIST the term Identity provider is used but not defined in terms.  Probably obvious to the authors, but not neccicarily to the readeršŸ˜Š

My point being that twitter, facebook and some others do not do OpenID Connect so are not technically OP.

I could use relying while in the middle of a Fido meeting as a excuse but everyone knows that even if I had taken the time it would have come out about the same.


Hope that helps.

John B.



Sent from Mail for Windows 10

From: Dario Teixeira
Sent: January 26, 2017 7:03 AM
To: ve7jtb@ve7jtb.com
Cc: oauth@ietf.org
Subject: RE: [OAUTH-WG] OAuth2/OIDC for client-server mobile app

Hi,

And thanks for the prompt reply!

> I prefer the AppAuth pattern where the native app is a OAuth client to
> your server and you are protecting your API with OAuth.   Your AS
> becomes a Connect/SAML/Twitter auth/ Facebook etc relying party and
> uses federated or local authentication to issue tokens.  (this gives
> your backend API access to user info)

I'm not sure I followed due to the use of non-standard terminology...
What do you mean by "OAuth client" - the Relying Party?  And what
about AS? Is that the Authorization Server, Application Server,
or what?  (One of the frustrating aspects of learning about OAuth2
and OIDC is that not everyone uses the standard terminology.)


> The other pattern is for the native app to be a Connect client to
> Google or other IdP and then passes a id_token (not access token) to
> your backend in some secure manor and your backend validates the
> signature on the id_token and that it was issued to your client
> (verification is essential) (the native app gets access to user info
> api)  You still have the problem of how you secure your API, as you
> need to exchange the validated id_token with something.   I thnk that
> doing this securely winds up being more complicated than the first
> option.

The same problem as above. I cannot find "Connect client" anywhere
on the OIDC terminology. And is IdP what the standard calls OP?

I don't mean to sound ungrateful, but when a newcomer asks a basic
question is usually a bad idea to throw a lot of jargon or non
standard terminology at them...

Best regards,
Dario Teixeira

v2.23.0 | Report a Bug | By Email