One of my items from yesterday was to update the text related to native applications. Primary goals were to:
1. remove the explicit preference for authorization_code grant type 2. provide a brief overview on means of initiating authorization requests and receiving callbacks 3. discuss the pros/cons of the different authorization requests and grant types Here is suggested text. -cmort ----------------------------- 9. Native Applications A native application is a client which is installed and executes on the end-user's device (i.e. desktop application, native mobile application). Native applications require special consideration related to security, platform capabilities, and overall end-user experience. The following are examples of how native applications may utilize OAuth: o Initiate an Authorization Request using an external user-agent: The native application can capture the response from the authorization server by providing a redirection URI identifying a custom URI scheme (registered with the operating system to invoke the native application as handler), or by providing a redirection URI identifying a server-hosted resource under the native application's control, which in turn makes the response available to the native application (e.g. using the user-agent window title or other locations accessible from outside the user-agent). o Initiate an Authorization Request using an embedded user-agent: The native application obtains the response by directly communicating with the embedded user-agent. Techniques include monitoring state changes emitted during URL loading, accessing the user-agent's cookie jar, etc. When choosing between launching an external user-agent and an embedding a user-agent, native application developers should consider the following: o External user-agents may improve completion rate as the end-user may already have an active session with the authorization server removing the need to re-authenticate, and provide a familiar user-agent user experience. The end-user may also rely on extensions or add-ons to assist with authentication (e.g. password managers or 2-factor device reader). o Embedded user-agents may offer an improved end-user flow, as they remove the need to switch context and open new windows. o Embedded user-agents pose a security challenge because end-users are authenticating in an unidentified window without access to the visual protections offered by many user-agents. Embedded user-agents educate end-user to trust unidentified requests for authentication (making phishing attacks easier to execute). When choosing between implicit and authorization code grant types, the following should be considered: o Native applications that use the authorization code grant type flow SHOULD do so without client password credentials, due to their inability to keep those credentials confidential. o Native applications that use the implicit grant type may offer optimized performance in some scenarios due to reduced network requests
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
