[OAUTH-WG] OAuth2/OIDC for client-server mobile app
Dario Teixeira <dario.teixeira@nleyten.com> Wed, 25 January 2017 14:22 UTC
Return-Path: <dario.teixeira@nleyten.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35E0512995D for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 06:22:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uFUUBRR4QvE2 for <oauth@ietfa.amsl.com>; Wed, 25 Jan 2017 06:22:37 -0800 (PST)
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net [IPv6:2001:4b98:c:538::194]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 099B712995C for <oauth@ietf.org>; Wed, 25 Jan 2017 06:22:37 -0800 (PST)
Received: from mfilter1-d.gandi.net (mfilter1-d.gandi.net [217.70.178.130]) by relay2-d.mail.gandi.net (Postfix) with ESMTP id 151F2C5A4E for <oauth@ietf.org>; Wed, 25 Jan 2017 15:22:35 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter1-d.gandi.net
Received: from relay2-d.mail.gandi.net ([IPv6:::ffff:217.70.183.194]) by mfilter1-d.gandi.net (mfilter1-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id ODt-shBfLg1X for <oauth@ietf.org>; Wed, 25 Jan 2017 15:22:31 +0100 (CET)
X-Originating-IP: 10.58.1.149
Received: from webmail.gandi.net (webmail9-d.mgt.gandi.net [10.58.1.149]) (Authenticated sender: dario.teixeira@nleyten.com) by relay2-d.mail.gandi.net (Postfix) with ESMTPA id AF212C5A55 for <oauth@ietf.org>; Wed, 25 Jan 2017 15:22:31 +0100 (CET)
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Wed, 25 Jan 2017 14:22:31 +0000
From: Dario Teixeira <dario.teixeira@nleyten.com>
To: oauth@ietf.org
Message-ID: <ffc794a133b4b5fb341a0590c6848034@nleyten.com>
X-Sender: dario.teixeira@nleyten.com
User-Agent: Roundcube Webmail/1.1.2
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/qjAc-Htj0jn1-8_YEyY7QcCUHSE>
Subject: [OAUTH-WG] OAuth2/OIDC for client-server mobile app
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jan 2017 15:59:24 -0000
Hi, I am building a mobile app and a server. The mobile app fetches user-specific data from the server, and therefore some sort of authentication is required. I would like to avoid the traditional username+password scheme, and instead allow users to login via Google or Facebook. It seems the OAuth2-based OpenID Connect (OIDC) is the recommended solution nowadays, so my question is about the usage of OAuth2/OIDC in this scenario. All OIDC docs and tutorials describe the interaction between three parties: a Relying Party (RP), a User Agent (UA), and an OIDC Provider (OIP). There are however four parties in my scenario: the mobile app, the server, the UA, and the OIP. Which should take the role of RP? I see two different ways to do this: 1) The mobile app is the RP. It even takes care of starting a small web server to receive the data from the OIP. At the end of the interaction, the mobile app has a JWT signed by the OIP, which it sends to the server, which must validate it using a built-in list of OIP public signatures. 2) The server is the RP. When the user wishes to login, the mobile app asks the server about the OIP's authorization endpoint. The server provide the client with an URI whose redirect_uri parameter points to the server. All subsequent steps are handled by the server. Anyway, this seems like a fairly common scenario, and I would rather follow some best-practices documentation instead of cooking up my own schemes, like points 1 and 2 above. Therefore, if there is indeed such documentation, could someone please point me towards it? And if not, which would be the recommended route, 1 or 2? Thanks in advance for your attention! Best regards, Dario Teixeira
- [OAUTH-WG] OAuth2/OIDC for client-server mobile a… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Justin Richer
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Brian Campbell
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Torsten Lodderstedt
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… John Bradley
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Dario Teixeira
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… Phil Hunt (IDM)
- Re: [OAUTH-WG] OAuth2/OIDC for client-server mobi… ve7jtb