Hi, I've enclosed some notes which were sent into the Internet Identity Workshop (IIW) on an OAuth session at IIW last week with Dick Hardt. Much of the session ended up deep-ending on OAuth/mobile assurance issue that I address in the following blog post:
Managing OAuth Risks in Mobile Applications<http://security-architect.blogspot.com/2013/10/managing-oauth-risks-in-mobile.html> *Session Title: *OAuth - the good parts...Intro to OAuth by Dick Hardt Note: this session was combined with the session OAuth 2.0 Assurance by Dan Blum Moderated by Dick Hardt and Dan Blum *Summary:* Attendees of this session were primarily interested in sharing observations on OAuth best practices. After some discussion, a debate arose about best practices for securing the OAuth interaction with mobile clients. This debate wasn't resolved. *General Notes:* OAuth is a framework, not a protocol Many implementations still use OAuth 1, there was some discussion of this but no strong reason or justification to continue focusing on OAuth 1 was expressed at this meeting How do you build an API that lets people run apps that register people on the device, and what are the best practices? Major social networks (e.g. salesforce) are giving developers samples that are "like" what they are trying to do; are these best practices or just historical artifacts? *Secure OAuth use with mobile devices discussion / debate* (see Managing OAuth Risks in Mobile Applications<http://security-architect.blogspot.com/2013/10/managing-oauth-risks-in-mobile.html> ) I'd appreciate your thoughts on the issues. Comments on the blog post, or here, would be great. Best regards, Dam Blum
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
