Hi, I have read draft-ietf-oauth-native-apps-01 and I generally agree with the overall recommendations in the draft, and it is well written (I haven't participated in this WG before, so I don't know what to what level it has already been discussed).
Some comments: - Section 2, last paragraph: I agree with the general recommendation to not use an external user agent because of complexity. However, there are cases when a tablet is sold as a closed system and under full control of the vendor. In these cases, the vendor can preinstall the AS user agent into the operating system and provide APIs for other apps to use it. - Section 5.1 (Embedded User-agents): "Authorization servers SHOULD consider taking steps to detect and block logins via embedded user-agents that are not their own, where possible." Do you have any recommendation how to do that, other than reading the (easily modifiable) User-Agent HTTP header? Maybe you could add a sentence for providing some guidance here. - Section 5.3 (Phishing): This is indeed concerning; it's very easy to fake the in-app browser. The draft says: "If all native apps use the techniques described in this best practice, users will not need to sign-in frequently and thus should be suspicious of any sign-in request when they should have already been signed-in." That is true, in theory, but sounds like a big "if" to me. Most users are not savvy enough to be suspicious if a login screen appears and it looks the same as the one they know. I admit that I don't have any suggestion how to do it better, but this part seems to be the most problematic to me for using OAuth on native devices. Best regards Ulrich _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
