+1. I think this helps clarify some mis-conceptions that are out there. Phil
@independentid www.independentid.com <http://www.independentid.com/>phil.h...@oracle.com <mailto:phil.h...@oracle.com> > On Jan 21, 2016, at 10:14 AM, George Fletcher <gffle...@aol.com> wrote: > > I'm also +1 for adoption > > On 1/21/16 2:56 AM, Roland Hedberg wrote: >> +1 for adoption >> >>> 21 jan 2016 kl. 07:11 skrev William Denniss <wdenn...@google.com> >>> <mailto:wdenn...@google.com>: >>> >>> I believe this is important work. >>> >>> The original OAuth 2 spec left the topic of native apps largely undefined >>> which is fair enough, the mobile-first revolution had yet to really take >>> hold and people didn't have much implementation experience for OAuth on >>> mobile. But we've come a long way since then, we have the experience now >>> and I think there is a need for leadership in this space, and that it makes >>> sense for the OAUTH-WG to continue our work and provide that leadership. >>> >>> The risk of not defining a best practice for native apps is dilution of the >>> open standards – if everyone implements OAuth differently for native apps, >>> and RPs have to write IDP-specific code then what is the point of having >>> OAuth as a standard in the first place? Security is a major concern as >>> well, there are a lot of ways to mess this up and the security situation >>> for OAuth in many native apps is not nearly as good as it could be. >>> >>> By providing leadership in the form of a working group document, we can >>> present community advice with the hope that IDPs and RPs alike will follow >>> our recommendations, resulting in more interoperability, better usability >>> and higher security. >>> >>> The best part about this spec is that it's pure OAuth! Just wrapped with >>> some native app specific recommendations for both RPs and IDPs, to achieve >>> the desired levels of usability and security on mobile. >>> >>> I will point out that we have rough consensus and running code. The rough >>> consensus can be seen from the WG votes, and the sentiment on this thread >>> (your dissenting opinion notwithstanding). Regarding running code, my team >>> is in the process of open sourcing libraries that will implement this best >>> practice to the letter (and the code's already running, I assure you). The >>> proprietary Google Sign-in and Facebook Sign-in SDKs are also using in-app >>> browser tabs for OAuth flows in production today, which I think is further >>> evidence that this is a viable pattern. >>> >>> This document and proposal was never part of the OpenID working group that >>> you refer to below. >>> >>> I'm not saying the document is perfect, and it is definitely in need of an >>> update! But I'm committed to listening to the community and taking it >>> forward. Now that the dependencies have launched, and our library >>> implementations are done, I plan to update the doc with the feedback from >>> this community, and the lessons we and others have learnt from our >>> implementations. >>> >>> I hope the working group will consider adopting this document. >>> >>> Kind Regards, >>> William >>> >>> >>> On Thu, Jan 21, 2016 at 12:33 PM, Anthony Nadalin <tony...@microsoft.com> >>> <mailto:tony...@microsoft.com> wrote: >>> This work had many issues in the OpenID WG where it failed why should this >>> be a WG item here ? The does meet the requirements for experimental, there >>> is a fine line between informational and experimental, I would be OK with >>> either but prefer experimental, I don’t think that this should become a >>> standard. >>> >>> >>> >>> From: OAuth [mailto:oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org>] >>> On Behalf Of John Bradley >>> Sent: Wednesday, January 20, 2016 12:11 PM >>> To: Nat Sakimura <sakim...@gmail.com> <mailto:sakim...@gmail.com> >>> Cc: oauth@ietf.org <mailto:oauth@ietf.org> >>> Subject: Re: [OAUTH-WG] Call for adoption: OAuth 2.0 for Native Apps >>> >>> >>> >>> PS as you probably suspected I am in favour of moving this forward. >>> >>> >>> >>> >>> >>> On Jan 20, 2016, at 5:08 PM, Nat Sakimura <sakim...@gmail.com> >>> <mailto:sakim...@gmail.com> wrote: >>> >>> >>> >>> +1 for moving this forward. >>> >>> 2016年1月21日木曜日、John Bradley<ve7...@ve7jtb.com> >>> <mailto:ve7...@ve7jtb.com>さんは書きました: >>> >>> Yes more is needed. It was theoretical at that point. Now we have >>> implementation experience. >>> >>> >>> >>> On Jan 20, 2016, at 3:38 PM, Brian Campbell <bcampb...@pingidentity.com> >>> <mailto:bcampb...@pingidentity.com> wrote: >>> >>> >>> >>> There is >>> https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-00#appendix-A >>> <https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-00#appendix-A> >>> which has some mention of SFSafariViewController and Chrome Custom Tabs. >>> >>> Maybe more is needed? >>> >>> >>> >>> On Wed, Jan 20, 2016 at 10:45 AM, John Bradley <ve7...@ve7jtb.com> >>> <mailto:ve7...@ve7jtb.com> wrote: >>> >>> Yes, in July we recommended using the system browser rather than WebViews. >>> >>> >>> >>> About that time Apple announced Safari view controller and Google Chrome >>> custom tabs. The code in the OS is now stable and we have done a fair >>> amount of testing. >>> >>> >>> >>> The OIDF will shortly be publishing reference libraries for iOS and Android >>> to how how to best use View Controllers, and PKCE in native apps on those >>> platforms. >>> >>> >>> >>> We do need to update this doc to reflect what we have learned in the last 6 >>> months. >>> >>> >>> >>> One problem we do still have is not having someone with Win 10 mobile >>> experience to help document the best practices for that platform. >>> >>> I don’t understand that platform well enough yet to include anything. >>> >>> >>> >>> John B. >>> >>> >>> >>> On Jan 20, 2016, at 12:40 PM, Aaron Parecki <aa...@parecki.com> >>> <mailto:aa...@parecki.com> wrote: >>> >>> >>> >>> The section on embedded web views doesn't mention the new iOS 9 >>> SFSafariViewController which allows apps to display a system browser within >>> the application. The new API doesn't give the calling application access to >>> anything inside the browser, so it is acceptable for using with OAuth >>> flows. I think it's important to mention this new capability for apps to >>> leverage since it leads to a better user experience. >>> >>> >>> >>> I'm sure that can be addressed in the coming months if this document is >>> just the starting point. >>> >>> >>> >>> I definitely agree that a document about native apps is necessary since the >>> core leaves a lot of guessing room for an implementation. >>> >>> >>> >>> For reference, >>> https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_26 >>> >>> <https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_26> >>> >>> >>> >>> And see the attached screenshot for an example of what it looks like. >>> >>> >>> >>> <embedded-oauth-view.png> >>> >>> >>> >>> ---- >>> >>> Aaron Parecki >>> >>> aaronparecki.com >>> >>> @aaronpk >>> >>> >>> >>> >>> >>> On Tue, Jan 19, 2016 at 3:46 AM, Hannes Tschofenig >>> <hannes.tschofe...@gmx.net> <mailto:hannes.tschofe...@gmx.net> wrote: >>> >>> Hi all, >>> >>> this is the call for adoption of OAuth 2.0 for Native Apps, see >>> http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/ >>> <http://datatracker.ietf.org/doc/draft-wdenniss-oauth-native-apps/> >>> >>> Please let us know by Feb 2nd whether you accept / object to the >>> adoption of this document as a starting point for work in the OAuth >>> working group. >>> >>> Note: If you already stated your opinion at the IETF meeting in Yokohama >>> then you don't need to re-state your opinion, if you want. >>> >>> The feedback at the Yokohama IETF meeting was the following: 16 persons >>> for doing the work / 0 persons against / 2 persons need more info >>> >>> Ciao >>> Hannes & Derek >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> >>> >>> >>> >>> >>> -- >>> Nat Sakimura (=nat) >>> >>> Chairman, OpenID Foundation >>> http://nat.sakimura.org/ <http://nat.sakimura.org/> >>> @_nat_en >>> >>> >>> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> <https://www.ietf.org/mailman/listinfo/oauth> > > -- > Chief Architect > Identity Services Engineering Work: george.fletc...@teamaol.com > <mailto:george.fletc...@teamaol.com> > AOL Inc. AIM: gffletch > Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch > <http://twitter.com/gffletch> > Office: +1-703-265-2544 Photos: http://georgefletcher.photography > <http://georgefletcher.photography/> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
