IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps

John Bradley <ve7jtb@ve7jtb.com> Wed, 20 January 2016 17:45 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E80901ABD8F for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 09:45:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbFJGR5Wlt6X for <oauth@ietfa.amsl.com>; Wed, 20 Jan 2016 09:45:21 -0800 (PST)
Received: from mail-qk0-x236.google.com (mail-qk0-x236.google.com [IPv6:2607:f8b0:400d:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5881A897B for <oauth@ietf.org>; Wed, 20 Jan 2016 09:45:21 -0800 (PST)
Received: by mail-qk0-x236.google.com with SMTP id x1so5990428qkc.1 for <oauth@ietf.org>; Wed, 20 Jan 2016 09:45:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ve7jtb-com.20150623.gappssmtp.com; s=20150623; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=2e1u3opAGV/zqTdn1Uk5sOp9ttiisO4qda+4JMFBQa8=; b=WgcHvm6AwBM3Kf4+JXEa+54hwLueIIriDbGE6dHQScN/PDyqOXQjf5mj8PgIJ3qzMt BgZBcMVj+g83L3qxk21AmQyuDqb4N6XhDHKxFT/clIuQt7576b4TfupPrxmDqzWOXSSw AfeIoLQOvNHg1jjsBbNyQhCXc4QYs7AdpqIgV96stcJmTIPHz71ACWf59jLFWNyvCUAJ EOxBRFz5EVTzTtOMhd+OTsc0yj5RjSEh/blzL9jIkl+6qdhLyyo/J/yYow4brc78Qjy8 DlTgiPmDvVAeUBe0dYI9I2Z91PR+L3bZ5u2LT6BbBEkkqtkf4ms32Lh30RHcp1eKP1FU yPtg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=2e1u3opAGV/zqTdn1Uk5sOp9ttiisO4qda+4JMFBQa8=; b=BQ0fmGjKmWIvrWj3ykNckvnlV+Cg4zOcr+wpnR6XCrkrFxoaYeC6TOLZF31F4Dl0dO LKTr9pqmDkHO00cHi2cfQ2EYbjxA4FqUHXcGV32pCvPN8m9QV6uIlDx1jeJD5AvxiU0r gJX1YKjywhOLv+A5PmSkAD+/x/UJRIEnFZoyCLX1F8x/QKCe8WrnQmJeDOEXcqzeNTha IlbJCN6rMQ+z7Inu5e6KjYlHnMUOyplkSL5aH+Os0cQJFdB0o09XiPfp8sz0niH5TZln LacmmQPUV/XGm+yBdWUMlSP01ZNRljxFDw5ZFYgdZ3lWRTH/kwFGUf/NoYPpo/Udo2mE wUfw==
X-Gm-Message-State: ALoCoQk6XY7dcgBGGIdQ2wGid08K/GrTU0S7/M4/nnXKlDMq0W0YMhwhTA2tXRfjGvc//s2eaTpl8rXHmxx7riLXqLU94S94Ig==
X-Received: by 10.55.207.152 with SMTP id v24mr46692033qkl.100.1453311920347; Wed, 20 Jan 2016 09:45:20 -0800 (PST)
Received: from [192.168.8.101] ([181.202.164.7]) by smtp.gmail.com with ESMTPSA id b34sm14669708qgb.31.2016.01.20.09.45.18 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 20 Jan 2016 09:45:19 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_E64773AA-4EED-42F4-9F1B-0E64C171B073"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CAGBSGjpwZ929ZZHYiNpvqLvMDBrVFWaffZLQPwZn_xj7phsrpw@mail.gmail.com>
Date: Wed, 20 Jan 2016 14:45:15 -0300
Message-Id: <6ADAA1B5-7EF9-49EA-A3D9-6EFC57275EB9@ve7jtb.com>
References: <569E2231.1010107@gmx.net> <CAGBSGjpwZ929ZZHYiNpvqLvMDBrVFWaffZLQPwZn_xj7phsrpw@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/orDh_mYmpfq7TmHiR_ubwswTWhk>
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jan 2016 17:45:24 -0000

Yes, in July we recommended using the system browser rather than WebViews.   

About that time Apple announced Safari view controller and Google Chrome custom tabs.   The code in the OS is now stable and we have done a fair amount of testing.

The OIDF will shortly be publishing reference libraries for iOS and Android to how how to best use View Controllers, and PKCE in native apps on those platforms.

We do need to update this doc to reflect what we have learned in the last 6 months.

One problem we do still have is not having someone with Win 10 mobile experience to help document the best practices for that platform. 
I don’t understand that platform well enough yet to include anything.

John B.

> On Jan 20, 2016, at 12:40 PM, Aaron Parecki <aaron@parecki.com> wrote:
> 
> The section on embedded web views doesn't mention the new iOS 9 SFSafariViewController which allows apps to display a system browser within the application. The new API doesn't give the calling application access to anything inside the browser, so it is acceptable for using with OAuth flows. I think it's important to mention this new capability for apps to leverage since it leads to a better user experience.
> 
> I'm sure that can be addressed in the coming months if this document is just the starting point.
> 
> I definitely agree that a document about native apps is necessary since the core leaves a lot of guessing room for an implementation.
> 
> For reference, https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_26 <https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_26>
> 
> And see the attached screenshot for an example of what it looks like.
> 
> <embedded-oauth-view.png>
> 
> ----
> Aaron Parecki
> aaronparecki.com <http://aaronparecki.com/>
> @aaronpk <http://twitter.com/aaronpk>
> 
> 
> On Tue, Jan 19, 2016 at 3:46 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> Hi all,
> 
> this is the call for adoption of OAuth 2.0 for Native Apps, see
> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/ <http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/>
> 
> Please let us know by Feb 2nd whether you accept / object to the
> adoption of this document as a starting point for work in the OAuth
> working group.
> 
> Note: If you already stated your opinion at the IETF meeting in Yokohama
> then you don't need to re-state your opinion, if you want.
> 
> The feedback at the Yokohama IETF meeting was the following: 16 persons
> for doing the work / 0 persons against / 2 persons need more info
> 
> Ciao
> Hannes & Derek
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email