+1 for adoption > 21 jan 2016 kl. 07:11 skrev William Denniss <wdenn...@google.com>: > > I believe this is important work. > > The original OAuth 2 spec left the topic of native apps largely undefined > which is fair enough, the mobile-first revolution had yet to really take hold > and people didn't have much implementation experience for OAuth on mobile. > But we've come a long way since then, we have the experience now and I think > there is a need for leadership in this space, and that it makes sense for the > OAUTH-WG to continue our work and provide that leadership. > > The risk of not defining a best practice for native apps is dilution of the > open standards – if everyone implements OAuth differently for native apps, > and RPs have to write IDP-specific code then what is the point of having > OAuth as a standard in the first place? Security is a major concern as well, > there are a lot of ways to mess this up and the security situation for OAuth > in many native apps is not nearly as good as it could be. > > By providing leadership in the form of a working group document, we can > present community advice with the hope that IDPs and RPs alike will follow > our recommendations, resulting in more interoperability, better usability and > higher security. > > The best part about this spec is that it's pure OAuth! Just wrapped with some > native app specific recommendations for both RPs and IDPs, to achieve the > desired levels of usability and security on mobile. > > I will point out that we have rough consensus and running code. The rough > consensus can be seen from the WG votes, and the sentiment on this thread > (your dissenting opinion notwithstanding). Regarding running code, my team is > in the process of open sourcing libraries that will implement this best > practice to the letter (and the code's already running, I assure you). The > proprietary Google Sign-in and Facebook Sign-in SDKs are also using in-app > browser tabs for OAuth flows in production today, which I think is further > evidence that this is a viable pattern. > > This document and proposal was never part of the OpenID working group that > you refer to below. > > I'm not saying the document is perfect, and it is definitely in need of an > update! But I'm committed to listening to the community and taking it > forward. Now that the dependencies have launched, and our library > implementations are done, I plan to update the doc with the feedback from > this community, and the lessons we and others have learnt from our > implementations. > > I hope the working group will consider adopting this document. > > Kind Regards, > William > > > On Thu, Jan 21, 2016 at 12:33 PM, Anthony Nadalin <tony...@microsoft.com> > wrote: > This work had many issues in the OpenID WG where it failed why should this be > a WG item here ? The does meet the requirements for experimental, there is a > fine line between informational and experimental, I would be OK with either > but prefer experimental, I don’t think that this should become a standard. > > > > From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley > Sent: Wednesday, January 20, 2016 12:11 PM > To: Nat Sakimura <sakim...@gmail.com> > Cc: oauth@ietf.org > Subject: Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps > > > > PS as you probably suspected I am in favour of moving this forward. > > > > > > On Jan 20, 2016, at 5:08 PM, Nat Sakimura <sakim...@gmail.com> wrote: > > > > +1 for moving this forward. > > 2016年1月21日木曜日、John Bradley<ve7...@ve7jtb.com>さんは書きました: > > Yes more is needed. It was theoretical at that point. Now we have > implementation experience. > > > > On Jan 20, 2016, at 3:38 PM, Brian Campbell <bcampb...@pingidentity.com> > wrote: > > > > There is > https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-00#appendix-A > which has some mention of SFSafariViewController and Chrome Custom Tabs. > > Maybe more is needed? > > > > On Wed, Jan 20, 2016 at 10:45 AM, John Bradley <ve7...@ve7jtb.com> wrote: > > Yes, in July we recommended using the system browser rather than WebViews. > > > > About that time Apple announced Safari view controller and Google Chrome > custom tabs. The code in the OS is now stable and we have done a fair > amount of testing. > > > > The OIDF will shortly be publishing reference libraries for iOS and Android > to how how to best use View Controllers, and PKCE in native apps on those > platforms. > > > > We do need to update this doc to reflect what we have learned in the last 6 > months. > > > > One problem we do still have is not having someone with Win 10 mobile > experience to help document the best practices for that platform. > > I don’t understand that platform well enough yet to include anything. > > > > John B. > > > > On Jan 20, 2016, at 12:40 PM, Aaron Parecki <aa...@parecki.com> wrote: > > > > The section on embedded web views doesn't mention the new iOS 9 > SFSafariViewController which allows apps to display a system browser within > the application. The new API doesn't give the calling application access to > anything inside the browser, so it is acceptable for using with OAuth flows. > I think it's important to mention this new capability for apps to leverage > since it leads to a better user experience. > > > > I'm sure that can be addressed in the coming months if this document is just > the starting point. > > > > I definitely agree that a document about native apps is necessary since the > core leaves a lot of guessing room for an implementation. > > > > For reference, > https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_26 > > > > And see the attached screenshot for an example of what it looks like. > > > > <embedded-oauth-view.png> > > > > ---- > > Aaron Parecki > > aaronparecki.com > > @aaronpk > > > > > > On Tue, Jan 19, 2016 at 3:46 AM, Hannes Tschofenig > <hannes.tschofe...@gmx.net> wrote: > > Hi all, > > this is the call for adoption of OAuth 2.0 for Native Apps, see > http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/ > > Please let us know by Feb 2nd whether you accept / object to the > adoption of this document as a starting point for work in the OAuth > working group. > > Note: If you already stated your opinion at the IETF meeting in Yokohama > then you don't need to re-state your opinion, if you want. > > The feedback at the Yokohama IETF meeting was the following: 16 persons > for doing the work / 0 persons against / 2 persons need more info > > Ciao > Hannes & Derek > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > > > > > > -- > Nat Sakimura (=nat) > > Chairman, OpenID Foundation > http://nat.sakimura.org/ > @_nat_en > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
