A native UI does not rule out WebAuthn/FIDO, in fact we have an in-progress branch of the draft that shows how you could support passkeys with this spec: https://github.com/aaronpk/oauth-first-party-apps/pull/93
While there isn't an RFC for authenticating first-party apps, there is plenty of precedent for doing so already using the Apple and Android APIs. There is an adopted in-progress draft that could standardize this as well: https://datatracker.ietf.org/doc/draft-ietf-oauth-attestation-based-client-auth/ Aaron On Wed, Sep 4, 2024 at 7:37 AM Neil Madden <neil.e.mad...@gmail.com> wrote: > I am a bit skeptical about this one. I’m not convinced we should be > recommending native UI until/unless we have a really good story around > authenticating first-party apps. Without such a story, I don’t think this > should be adopted. Unless I’m mistaken, a native UI also rules out > WebAuthn/FIDO-based authenticators? We should not be adopting drafts that > increase phishing risks for the sake of aesthetics. > > — Neil > > On 3 Sep 2024, at 11:46, Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> > wrote: > > All, > > As per the discussion in Vancouver, this is a call for adoption for the > First Party Apps draft: > https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/ > > Please, reply on the mailing list and let us know if you are in favor or > against adopting this draft as WG document, by *Sep 17th*. > > Regards, > Rifaat & Hannes > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
