Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86
Erik Wahlström <erik@wahlstromstekniska.se> Thu, 23 July 2015 22:59 UTC
Return-Path: <erik@wahlstromstekniska.se>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 954211B2A46 for <oauth@ietfa.amsl.com>; Thu, 23 Jul 2015 15:59:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.222
X-Spam-Level:
X-Spam-Status: No, score=0.222 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mI4kRVmqydW6 for <oauth@ietfa.amsl.com>; Thu, 23 Jul 2015 15:59:21 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E4B31B2A4B for <oauth@ietf.org>; Thu, 23 Jul 2015 15:59:21 -0700 (PDT)
Received: by wicmv11 with SMTP id mv11so42996602wic.0 for <oauth@ietf.org>; Thu, 23 Jul 2015 15:59:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=vg0HXKInM2jVT5hK+2/ESuep7MtK73sO3xaP3qM7RC8=; b=hl4XYG3aVpJlCeEwklADNCKC5z160+2uqBip06ID1WmOYdDYa0D5RWCPrl42C9DM+F 0TVjN9/5loy1a9rmY/LBRwf9VKTd3jSkpwgXDN6wj0rEb1Ulr6zB4fvcKCL67j8nEN0k +23CRPNkGpbEO1BhIPkf8fQ6elzGURHk/dj+D/0GpT1T8WTskBISTB926/WAuq6Ybkdr IVzxV4y0WDmn7v2xReDQITkKezReg3DlGpIPEnopjVrz7B6x34F05zLv4AvROjvWvi0C s7Xxw4xIebHUr53QaGYiztas9Lks/SxKJw/YUyUZTjjJO7SUFd2mKTce/pmLeayc7IUa lpbw==
X-Gm-Message-State: ALoCoQmElRv9PRMwwR3eFq2l7IvkhFy7B2nDMh8u5zjjtTQlaBSCRF/0iN59ce6QmWSLfOYTavac
MIME-Version: 1.0
X-Received: by 10.180.78.136 with SMTP id b8mr962379wix.89.1437692360090; Thu, 23 Jul 2015 15:59:20 -0700 (PDT)
Received: by 10.28.8.6 with HTTP; Thu, 23 Jul 2015 15:59:20 -0700 (PDT)
X-Originating-IP: [2001:67c:370:136:d880:b5a3:6a2b:91a6]
In-Reply-To: <mailman.3891.1437668531.3631.oauth@ietf.org>
References: <mailman.3891.1437668531.3631.oauth@ietf.org>
Date: Fri, 24 Jul 2015 00:59:20 +0200
Message-ID: <CA+KYQAtzSHQUfA3hmuaq=d=J7ui2phmvAdD=WnWk_hWqa50xpA@mail.gmail.com>
From: Erik Wahlström <erik@wahlstromstekniska.se>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="f46d0435c0346b7ba6051b92d68b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/voL1WePF2SD3xqZerEbz-iWtGTg>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 22:59:24 -0000
Hi, Thanks for a great document! I volunteered to review draft-wdenniss-oauth-native-apps-00 at the #IETF93 meeting so here we go: In national mobile eID deployments an app is issued by gov or other organisation in a country. The app acts as the users authentication method and it works with an IDP, the IDP can be anywhere if its an PKI token or at the place that issued the credential if it’s something else. When an SP start developing an native app for there services and want’s to use the national eID solution in combination with OAuth we might run into trouble here. The flow is like follows for a service provider called FooBar: FooBar’s app starts browser-view. FooBar’s SAML service provider functionality redirects the user to an national SAML IDP. The IDP prompts user for a username and then starts an mobile eID token on the same phone. Users is asked if they want’s to authenticate to FooBar and enters PIN. User are then redirected back with an assertion. The FooBar's service provider verifies the assertion and mint’s OAuth2 token(s) and redirects the user back to the app with the help of the redirect URL. So the phone first displays an app, then foobar.com <http://example.com/> in browser-view, then idp.com <http://nationalidp.com/> in *browser-view*, then mobile eID token, then idp.com <http://nationalidp.com/> in the *system browser* and back to foobar.com <http://example.com/> and the app that the user wanted to use. The problem with browser-views is that the mobile eID token will start idp.com when user has authenticated and then the user is not back in the apps browser-view, but in system browser instead. The system browser is sharing the session with the browser-view and redirect the user to the native app. The user experience will be a bit strange then because there the correct page is not loaded and the browser-view should be closed and the app should start parsing out the authorization code instead. So I think draft should mention something about this scenario and that app developers should handle this scenario in the app. The grant did not really come back from the browser-view as expected but from the system browser instead. ————————— With the above in mind. Maybe even some example code would be nice to have in the non normative section "Appendix A. Operating System Specific Implementation Details”. Especially how to handle call backs. ————————— Another eID related issue is the pricing model for authentications in that market segment. It’s really common by the eID credential issuing organisations to charge a service providers usage of a credential per tick (that is by OSCP call). The system is based on a per tick pricing model and there are regulations for how long the sessions can live. That means that its not possible to authenticate with a token once and then create a refresh token and the user will ever see the authentication flow again. It kinda messes up the usability of mobile apps a lot but end users have come to term with it. They have not however came to term to always require consents every time they use the app. That drives end user crazy. The usability would be much better if the payment model also accepted a refresh token as a tick instead of just an OSCP call, but we are not there yet. Anyway, that’s the backstory. The section "6.4. Always Prompting for User Interaction” is a bit harsh with a SHOULD NOT. I would rather change it to a NOT RECOMMENDED. ————————— Two additional things that strengthen the case for using the browser-view also come to mind when reading the draft. The first is the fact that multiple tabs is started in some browser when going through multiple authentication attempts. That clutters the system so I really like the new browser-views. The second is that there are additionally nice things in browser-view that do not exist in the web-view. The localStorage is also preserved and it can include important information to make authentication methods more secure. ———————— "Authorization servers SHOULD consider taking steps to detect and block logins via embedded user-agents that are not their own, where possible."" Sounds good, but that also sounds very hard when it comes to public clients. ————————— And some nits: "OAuth flows between a native app and the system browser (or another external user-agent) are more secure, and take advantage of the shared authentication state." Not really clear what shared authentication state that is in that sentence. "When the authentication server completes the request, it redirects to the client's redirection URI like it would any redirect URI" s/authentication/authorization / Erik On Thu, Jul 23, 2015 at 6:22 PM, <oauth-request@ietf.org> wrote: > > > John Bradley and I introduced a new draft at IETF93 yesterday: > https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-00 > > > Goal is to provide best practices for native apps using the RFC6749 > authorization > endpoint, expanding on RFC6749 Section 9. Specifically, it recommends > using an external user-agent (such as the system browser) for this task > over an embedded user-agent (such as a web-view), and suggests ways to > achieve this. > > > Comments welcome!
- Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86 Erik Wahlström
- Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86 John Bradley
- Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86 Antonio Sanso
- Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86 John Bradley
- Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86 Nat Sakimura
- Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86 Brian Campbell
- Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86 Nat Sakimura
- Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86 Paul Madsen
- Re: [OAUTH-WG] OAuth Digest, Vol 81, Issue 86 Antonio Sanso