A native UI does not rule out WebAuthn/FIDO, in fact we have an in-progress
branch of the draft that shows how you could support passkeys with this
spec: https://github.com/aaronpk/oauth-first-party-apps/pull/93

While there isn't an RFC for authenticating first-party apps, there is
plenty of precedent for doing so already using the Apple and Android APIs.
There is an adopted in-progress draft that could standardize this as well:
https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/

Aaron

On Wed, Sep 4, 2024 at 7:37 AM Neil Madden <neil.e.mad...@gmail.com> wrote:

> I am a bit skeptical about this one. I’m not convinced we should be
> recommending native UI until/unless we have a really good story around
> authenticating first-party apps. Without such a story, I don’t think this
> should be adopted. Unless I’m mistaken, a native UI also rules out
> WebAuthn/FIDO-based authenticators? We should not be adopting drafts that
> increase phishing risks for the sake of aesthetics.
>
> — Neil
>
> On 3 Sep 2024, at 11:46, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com>
> wrote:
>
> All,
>
> As per the discussion in Vancouver, this is a call for adoption for the
> First Party Apps draft:
> https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/
>
> Please, reply on the mailing list and let us know if you are in favor or
> against adopting this draft as WG document, by *Sep 17th*.
>
> Regards,
>  Rifaat & Hannes
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-le...@ietf.org
>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-le...@ietf.org
>
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to