The mtls spec doesn't cover the authorization endpoint. Mtls via the browser is a whole world of pain.
I believe that for a native app to use mtls via a chrome custom tab or Safari view controller you need to provision a certificate and private key to the system keystore. It is not something that can happen dynamically from the app. That in practice is generally done by proprietary EMM (Enterprise Mobility Management) systems like mobile Iron etc. I think there are also some issues with the app using the same key, it may need to be separately provisioned to the app as well. Each OS and browser has its own twists. It is probably better to explain how to do WebAuthn based authentication via the browser and app. I think there is likely more value in having a WebAuthn based authentication of the app that also attests to the identity of the app than trying to document all the implimented issues with MTLS via the browser. It depends on what the working group thinks is important. John B. On Tue, May 7, 2019, 4:33 AM Hannes Tschofenig <hannes.tschofe...@arm.com> wrote: > Hi Phil > > > > I believe this is a question that William and John may be able to answer. > > > > Should MTLS be added to a future version of the Native Apps BCP? If the > answer is “no”, why not? > > > > Ciao > > Hannes > > > > > > *From:* OAuth <oauth-boun...@ietf.org> *On Behalf Of *Phil Hunt > *Sent:* Donnerstag, 2. Mai 2019 20:41 > *To:* oauth <oauth@ietf.org> > *Subject:* [OAUTH-WG] MTLS and Native apps Best practices > > > > I was wondering if anyone had any recommended MTLS best practices for > mobile apps and native browsers. > > > > Considering Section 6 of RFC8252… > > After constructing the authorization request URI, the app uses > > platform-specific APIs to open the URI in an external user-agent. > > Typically, the external user-agent used is the default browser, that > > is, the application configured for handling "http" and "https" scheme > > URIs on the system; however, different browser selection criteria and > > other categories of external user-agents MAY be used. > > > > What choices do developers have to ensure the authorization (and > subsequent user authentication) occur over MTLS? Can the app provide its > own key for MTLS or can it ask that an embedded X.509 cert be used > (assuming one is available)? > > > > Are there any platform issues or best practices? > > > > Phil Hunt | Cloud Security and Identity Architect > > Oracle Corporation, Oracle Cloud Infrastructure > > @independentid > > www.independentid.com > > phil.h...@oracle.com > > > > > > > > > > > IMPORTANT NOTICE: The contents of this email and any attachments are > confidential and may also be privileged. If you are not the intended > recipient, please notify the sender immediately and do not disclose the > contents to any other person, use it for any purpose, or store or copy the > information in any medium. Thank you. >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
