> On May 7, 2019, at 8:02 AM, John Bradley wrote:
>
> I believe that for a native app to use mtls via a chrome custom tab or Safari
> view controller you need to provision a certificate and private key to the
> system keystore. It is not something that can happen dynamically from the
> app
ay be able to answer.
>>
>>
>>
>> Should MTLS be added to a future version of the Native Apps BCP? If the
>> answer is “no”, why not?
>>
>>
>>
>> Ciao
>>
>> Hannes
>>
>>
>>
>>
>>
>> From: OAut
Should MTLS be added to a future version of the Native Apps BCP? If the
> answer is “no”, why not?
>
>
>
> Ciao
>
> Hannes
>
>
>
>
>
> *From:* OAuth *On Behalf Of *Phil Hunt
> *Sent:* Donnerstag, 2. Mai 2019 20:41
> *To:* oauth
> *Subject:* [OAUTH-W
] MTLS and Native apps Best practices
I was wondering if anyone had any recommended MTLS best practices for mobile
apps and native browsers.
Considering Section 6 of RFC8252…
After constructing the authorization request URI, the app uses
platform-specific APIs to open the URI in an
Are you hoping to use the key to authenticate the user, or the OAuth
client? If it's the latter, then you don't need to use MTLS to the
authorisation endpoint. If it's the former, I'd argue that you would
certainly need to include your public key in an X509 cert and *somehow*
make it available to t
Yes. I was more wondering if the app can invoke the system embedded view using
its own key pair to ensure protected authen.
Eg. If the authorization endpoint is set to require mutual tls, can the system
view use the app’s keys since the app is invoking it?
Or, would there have to be a user x.5
Hi Phil,
since mTLS is used at the tokens endpoint, native apps can definitely use their
own key pair. I would asunder such an app to act as public client, but mTLS
would allow such an app to bind its key pair with the token request to the
issued tokens.
Apps running in the browser is a separ
I was wondering if anyone had any recommended MTLS best practices for mobile
apps and native browsers.
Considering Section 6 of RFC8252…
After constructing the authorization request URI, the app uses
platform-specific APIs to open the URI in an external user-agent.
Typically, the externa
