21 jan 2016 kl. 07:11 skrev William Denniss <wdenn...@google.com>:
I believe this is important work.
The original OAuth 2 spec left the topic of native apps largely undefined which
is fair enough, the mobile-first revolution had yet to really take hold and
people didn't have much implementation experience for OAuth on mobile. But
we've come a long way since then, we have the experience now and I think there
is a need for leadership in this space, and that it makes sense for the
OAUTH-WG to continue our work and provide that leadership.
The risk of not defining a best practice for native apps is dilution of the
open standards – if everyone implements OAuth differently for native apps, and
RPs have to write IDP-specific code then what is the point of having OAuth as a
standard in the first place? Security is a major concern as well, there are a
lot of ways to mess this up and the security situation for OAuth in many native
apps is not nearly as good as it could be.
By providing leadership in the form of a working group document, we can present
community advice with the hope that IDPs and RPs alike will follow our
recommendations, resulting in more interoperability, better usability and
higher security.
The best part about this spec is that it's pure OAuth! Just wrapped with some
native app specific recommendations for both RPs and IDPs, to achieve the
desired levels of usability and security on mobile.
I will point out that we have rough consensus and running code. The rough
consensus can be seen from the WG votes, and the sentiment on this thread (your
dissenting opinion notwithstanding). Regarding running code, my team is in the
process of open sourcing libraries that will implement this best practice to
the letter (and the code's already running, I assure you). The proprietary
Google Sign-in and Facebook Sign-in SDKs are also using in-app browser tabs for
OAuth flows in production today, which I think is further evidence that this is
a viable pattern.
This document and proposal was never part of the OpenID working group that you
refer to below.
I'm not saying the document is perfect, and it is definitely in need of an
update! But I'm committed to listening to the community and taking it forward.
Now that the dependencies have launched, and our library implementations are
done, I plan to update the doc with the feedback from this community, and the
lessons we and others have learnt from our implementations.
I hope the working group will consider adopting this document.
Kind Regards,
William
On Thu, Jan 21, 2016 at 12:33 PM, Anthony Nadalin <tony...@microsoft.com> wrote:
This work had many issues in the OpenID WG where it failed why should this be a
WG item here ? The does meet the requirements for experimental, there is a fine
line between informational and experimental, I would be OK with either but
prefer experimental, I don’t think that this should become a standard.
From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of John Bradley
Sent: Wednesday, January 20, 2016 12:11 PM
To: Nat Sakimura <sakim...@gmail.com>
Cc: oauth@ietf.org
Subject: Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps
PS as you probably suspected I am in favour of moving this forward.
On Jan 20, 2016, at 5:08 PM, Nat Sakimura <sakim...@gmail.com> wrote:
+1 for moving this forward.
2016年1月21日木曜日、John Bradley<ve7...@ve7jtb.com>さんは書きました:
Yes more is needed. It was theoretical at that point. Now we have
implementation experience.
On Jan 20, 2016, at 3:38 PM, Brian Campbell <bcampb...@pingidentity.com> wrote:
There is
https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-00#appendix-A
which has some mention of SFSafariViewController and Chrome Custom Tabs.
Maybe more is needed?
On Wed, Jan 20, 2016 at 10:45 AM, John Bradley <ve7...@ve7jtb.com> wrote:
Yes, in July we recommended using the system browser rather than WebViews.
About that time Apple announced Safari view controller and Google Chrome custom
tabs. The code in the OS is now stable and we have done a fair amount of
testing.
The OIDF will shortly be publishing reference libraries for iOS and Android to
how how to best use View Controllers, and PKCE in native apps on those
platforms.
We do need to update this doc to reflect what we have learned in the last 6
months.
One problem we do still have is not having someone with Win 10 mobile
experience to help document the best practices for that platform.
I don’t understand that platform well enough yet to include anything.
John B.
On Jan 20, 2016, at 12:40 PM, Aaron Parecki <aa...@parecki.com> wrote:
The section on embedded web views doesn't mention the new iOS 9
SFSafariViewController which allows apps to display a system browser within the
application. The new API doesn't give the calling application access to
anything inside the browser, so it is acceptable for using with OAuth flows. I
think it's important to mention this new capability for apps to leverage since
it leads to a better user experience.
I'm sure that can be addressed in the coming months if this document is just
the starting point.
I definitely agree that a document about native apps is necessary since the
core leaves a lot of guessing room for an implementation.
For reference,
https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_26
And see the attached screenshot for an example of what it looks like.
<embedded-oauth-view.png>
----
Aaron Parecki
aaronparecki.com
@aaronpk
On Tue, Jan 19, 2016 at 3:46 AM, Hannes Tschofenig <hannes.tschofe...@gmx.net>
wrote:
Hi all,
this is the call for adoption of OAuth 2.0 for Native Apps, see
http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/
Please let us know by Feb 2nd whether you accept / object to the
adoption of this document as a starting point for work in the OAuth
working group.
Note: If you already stated your opinion at the IETF meeting in Yokohama
then you don't need to re-state your opinion, if you want.
The feedback at the Yokohama IETF meeting was the following: 16 persons
for doing the work / 0 persons against / 2 persons need more info
Ciao
Hannes & Derek
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
