Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps

Anthony Nadalin <> Thu, 21 January 2016 04:33 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CB9991B2EA0 for <>; Wed, 20 Jan 2016 20:33:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.012
X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id pHT5X5pw0NME for <>; Wed, 20 Jan 2016 20:33:53 -0800 (PST)
Received: from ( [IPv6:2a01:111:f400:fc10::1:789]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E78AF1B2E9E for <>; Wed, 20 Jan 2016 20:33:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=IwWmzc0tMudPiBc3NU7jki1mDZMWhvQ1fjock7EXsKI=; b=nToN8nBunLt+f1LEdWKTEAxzi3uBD8edLWxLnD3VsTjo63AeKOla16Y4n6X1wYnNZIsL26i8Hxm1ABdZLa/c8b7tZGGBuGZO3nhFLo0g4W7IXxt5rp/6M4cr6uk88Dqj78/5WGrQYJJwQlmX5thRilmk1HStGhENE2yBPVj4H3c=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.365.19; Thu, 21 Jan 2016 04:33:32 +0000
Received: from ([]) by ([]) with mapi id 15.01.0365.024; Thu, 21 Jan 2016 04:33:31 +0000
From: Anthony Nadalin <>
To: John Bradley <>, Nat Sakimura <>
Thread-Topic: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps
Date: Thu, 21 Jan 2016 04:33:31 +0000
Message-ID: <>
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 9bc000d8-5bdd-40e1-2077-08d3221c047a
x-microsoft-exchange-diagnostics: 1; BN3PR0301MB1233; 5:bBSr+OjZew9qEervtgxU3q/l30vKr8/3STq6Rt2vh0d2AaO/UvqATtKhPuGEJ3k+VQ24FysuHtw63v51hezsW6RTO914cRMQUtowAIvEZFXsPrQ6PDGVzRl6My/qiijk1O/c8Gl5hhzMrDV5R52u3Q==; 24:65l7mGwQY8KtmcseJm3g5XBM/fI0+8AYtu6pGtfOyDKU1HRNoHkGAXDFMhMDal17Bw+PpryxSEw8eIFsH69EuReMLphl08yPy6eZ7R6w9uQ=
x-exchange-antispam-report-test: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1233; UriScan:(189930954265078);
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(520078)(5005006)(3002001)(10201501046)(61426038)(61427038); SRVR:BN3PR0301MB1233; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0301MB1233;
x-forefront-prvs: 08286A0BE2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(24454002)(377454003)(189002)(11905935001)(53754006)(199003)(77096005)(76576001)(19580395003)(19617315012)(5005710100001)(8990500004)(2900100001)(6116002)(3846002)(16236675004)(93886004)(10290500002)(10400500002)(5008740100001)(1220700001)(122556002)(92566002)(50986999)(790700001)(19300405004)(102836003)(19580405001)(586003)(1096002)(54356999)(5002640100001)(5001960100002)(87936001)(189998001)(2950100001)(33656002)(76176999)(81156007)(5003600100002)(101416001)(105586002)(40100003)(5004730100002)(74316001)(86362001)(5001770100001)(10090500001)(66066001)(99286002)(4326007)(106116001)(5890100001)(106356001)(19625215002)(86612001)(97736004)(15975445007)(2906002)(42262002)(9078065003)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0301MB1233;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN3PR0301MB1234046860E5CD9E774DB473A6C30BN3PR0301MB1234_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jan 2016 04:33:31.5006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0301MB1233
Archived-At: <>
Cc: "" <>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 Jan 2016 04:33:58 -0000

This work had many issues in the OpenID WG where it failed why should this be a WG item here ? The does meet the requirements for experimental, there is a fine line between informational and experimental, I would be OK with either but prefer experimental, I don’t think that this should become a standard.

From: OAuth [] On Behalf Of John Bradley
Sent: Wednesday, January 20, 2016 12:11 PM
To: Nat Sakimura <>
Subject: Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps

PS as you probably suspected I am in favour of moving this forward.

On Jan 20, 2016, at 5:08 PM, Nat Sakimura <<>> wrote:

+1 for moving this forward.

2016年1月21日木曜日、John Bradley<<>>さんは書きました:
Yes more is needed.   It was theoretical at that point.  Now we have implementation experience.

On Jan 20, 2016, at 3:38 PM, Brian Campbell <<javascript:_e(%7B%7D,'cvml','');>> wrote:

There is<> which has some mention of SFSafariViewController and Chrome Custom Tabs.
Maybe more is needed?

On Wed, Jan 20, 2016 at 10:45 AM, John Bradley <<javascript:_e(%7B%7D,'cvml','');>> wrote:
Yes, in July we recommended using the system browser rather than WebViews.

About that time Apple announced Safari view controller and Google Chrome custom tabs.   The code in the OS is now stable and we have done a fair amount of testing.

The OIDF will shortly be publishing reference libraries for iOS and Android to how how to best use View Controllers, and PKCE in native apps on those platforms.

We do need to update this doc to reflect what we have learned in the last 6 months.

One problem we do still have is not having someone with Win 10 mobile experience to help document the best practices for that platform.
I don’t understand that platform well enough yet to include anything.

John B.

On Jan 20, 2016, at 12:40 PM, Aaron Parecki <<javascript:_e(%7B%7D,'cvml','');>> wrote:

The section on embedded web views doesn't mention the new iOS 9 SFSafariViewController which allows apps to display a system browser within the application. The new API doesn't give the calling application access to anything inside the browser, so it is acceptable for using with OAuth flows. I think it's important to mention this new capability for apps to leverage since it leads to a better user experience.

I'm sure that can be addressed in the coming months if this document is just the starting point.

I definitely agree that a document about native apps is necessary since the core leaves a lot of guessing room for an implementation.

For reference,<>

And see the attached screenshot for an example of what it looks like.


Aaron Parecki<>

On Tue, Jan 19, 2016 at 3:46 AM, Hannes Tschofenig <<javascript:_e(%7B%7D,'cvml','');>> wrote:
Hi all,

this is the call for adoption of OAuth 2.0 for Native Apps, see<>

Please let us know by Feb 2nd whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.

Note: If you already stated your opinion at the IETF meeting in Yokohama
then you don't need to re-state your opinion, if you want.

The feedback at the Yokohama IETF meeting was the following: 16 persons
for doing the work / 0 persons against / 2 persons need more info

Hannes & Derek

OAuth mailing list<javascript:_e(%7B%7D,'cvml','');><>

OAuth mailing list<javascript:_e(%7B%7D,'cvml','');><>

OAuth mailing list<javascript:_e(%7B%7D,'cvml','');><>

Nat Sakimura (=nat)
Chairman, OpenID Foundation<>