[OAUTH-WG] Re: Call for adoption - First Party Apps

Neil Madden <neil.e.madden@gmail.com> Wed, 04 September 2024 16:41 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F41AC15155F for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 09:41:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.212
X-Spam-Level:
X-Spam-Status: No, score=-6.212 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZS3HQZCE95hQ for <oauth@ietfa.amsl.com>; Wed, 4 Sep 2024 09:41:29 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7B88C14CE2C for <oauth@ietf.org>; Wed, 4 Sep 2024 09:41:29 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-a86acbaddb4so825900866b.1 for <oauth@ietf.org>; Wed, 04 Sep 2024 09:41:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1725468088; x=1726072888; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=m+TwWx41KInmKj//VqHimTS/2vjlnzQkDEfthvJlYOQ=; b=JELTF946f19GbItMW5kBvlYBX4OfEupnGICliZ6CwIKLPumkENtfhR0IVhL6rJkhe+ MsVJrYtPyeP6KGOAe6wE7L9oqwMWfEoLbi37idabgxJpI5Dlu2pD2NKXHr470/CcUXB6 CL/FSwESE1cdq93vLLdu/Vx0RfCbD6iq+h5uLNRBsZEyN7SjWKGdobPG5V90b+tSnaqU 4UB2Mlm1t5aidUy499e61FIUk9N/Z57HYKkdMlcOwFwBU2kV0M+OY8QRGnbMtmiAxpDM FUuJXDvwlh1L/q54VgGjsW0Pgg6estT4x04zcy24O9r7YtSxanZ6zeOU8wbeusbPBxkU ldmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725468088; x=1726072888; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=m+TwWx41KInmKj//VqHimTS/2vjlnzQkDEfthvJlYOQ=; b=XRx4iZ57B3bJWyN9UF0neJrUJRqvwGtQDQ5OIRryxifA8m3jaR1OfcDy/8nU8AJiuu drZvSTkNjJj8wHnPDRgwqGDFUewXEeghY6sGobWS65lz/nuuM2NrUJWME/lwOqR/mn4h rGAxCPWrnvXRXnEBUypWm8UpAdD9UceqV7rO7MrrjJvW2WUxZo5Cgj5T0s1Gtx6xVYxC hj6aIdr4NMcz05BJ8k9mSNXi1B116TTcSUI53M4ny92g3EP/PBMOGyKSMXcjNn8ZosJC TQahaEmvgj7bx/F+EY83vHlNcKhk7kvqqJdf4iqCxrXULN7BOcOrkh3aMtRgZnBImZxq 5i3Q==
X-Forwarded-Encrypted: i=1; AJvYcCUDSaH5G1APXIeub/xbf4KDmmRYhYt0MQN+RRrnqsVd1F1U7gXR8zvHjNIuXI1Iju7BLWwTgQ==@ietf.org
X-Gm-Message-State: AOJu0YxiNqsbtPw066h0Yv3SV8UM13ScVUCP3Lt01gchyIO0nZRd5MJT 4G3Sv0lTtai+/qRv6K2GqyYH05gxPYa4SNzJmxKSXhf19eIPZjJQ
X-Google-Smtp-Source: AGHT+IG3DtNrW0QKNuA1zdwGCbxOUWS9rLSj8dKeJ9xsAgPhvnMOyV3WuxQKg5MqruexCF4x4JiV4Q==
X-Received: by 2002:a17:906:c106:b0:a86:7021:1368 with SMTP id a640c23a62f3a-a897f84d335mr1625175166b.21.1725468087109; Wed, 04 Sep 2024 09:41:27 -0700 (PDT)
Received: from smtpclient.apple ([2a00:23ee:2280:3abf:bde5:3261:6460:791d]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a8a61fda7ffsm13218066b.32.2024.09.04.09.41.26 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 04 Sep 2024 09:41:26 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-CC45E15B-B75D-411F-8EFC-43FA6C65A0CE"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Wed, 04 Sep 2024 17:41:15 +0100
Message-Id: <BCC90022-DF34-469E-8A90-27F7B6767E4F@gmail.com>
References: <CAGBSGjoWzmaZ-jWS-VY6h3R7OZkUVMYkGomyM9Yt9UYwuBB2cA@mail.gmail.com>
In-Reply-To: <CAGBSGjoWzmaZ-jWS-VY6h3R7OZkUVMYkGomyM9Yt9UYwuBB2cA@mail.gmail.com>
To: Aaron Parecki <aaron@parecki.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: HKKKKC2LNUSWXYILO5PFSSI6BWBHTHP5
X-Message-ID-Hash: HKKKKC2LNUSWXYILO5PFSSI6BWBHTHP5
X-MailFrom: neil.e.madden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Call for adoption - First Party Apps
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/pkNJ3ptnEUghdPxbLPGMh_9oWf8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>



On 4 Sep 2024, at 17:09, Aaron Parecki <aaron@parecki.com> wrote:


A native UI does not rule out WebAuthn/FIDO, in fact we have an in-progress branch of the draft that shows how you could support passkeys with this spec: https://github.com/aaronpk/oauth-first-party-apps/pull/93" rel="nofollow">https://github.com/aaronpk/oauth-first-party-apps/pull/93

Thanks, that’s good to know. Does it preserve phishing resistance? Ie the app cannot spoof the rpId?


While there isn't an RFC for authenticating first-party apps, there is plenty of precedent for doing so already using the Apple and Android APIs. There is an adopted in-progress draft that could standardize this as well: https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/" rel="nofollow">https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/

Also good to know. Is the intent to restrict the draft to just mobile apps (and ones with secure enclaves?), or also desktop?

I’d be a lot more comfortable with the draft if this SHOULD in section 1.1 became a MUST:

 This specification MUST NOT be used by third party applications, and the authorization server SHOULD take measures to prevent use by third party applications. (e.g. only enable this grant for certain client IDs, and take measures to authenticate first-party apps when possible.)”

— Neil


Aaron

On Wed, Sep 4, 2024 at 7:37 AM Neil Madden <neil.e.madden@gmail.com> wrote:
I am a bit skeptical about this one. I’m not convinced we should be recommending native UI until/unless we have a really good story around authenticating first-party apps. Without such a story, I don’t think this should be adopted. Unless I’m mistaken, a native UI also rules out WebAuthn/FIDO-based authenticators? We should not be adopting drafts that increase phishing risks for the sake of aesthetics.

— Neil

On 3 Sep 2024, at 11:46, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:

All,

As per the discussion in Vancouver, this is a call for adoption for the First Party Apps draft:
https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/" target="_blank" rel="nofollow">https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/

Please, reply on the mailing list and let us know if you are in favor or against adopting this draft as WG document, by Sep 17th.

Regards, 
 Rifaat & Hannes
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-leave@ietf.org