Sorry I missed your comments. Inline > On Apr 4, 2016, at 1:09 PM, Ulrich Herberg <[email protected]> wrote: > > Hi, > > I have read draft-ietf-oauth-native-apps-01 and I generally agree with > the overall recommendations in the draft, and it is well written (I > haven't participated in this WG before, so I don't know what to what > level it has already been discussed). > > Some comments: > - Section 2, last paragraph: > I agree with the general recommendation to not use an external user > agent because of complexity. However, there are cases when a tablet is > sold as a closed system and under full control of the vendor. In these > cases, the vendor can preinstall the AS user agent into the operating > system and provide APIs for other apps to use it. > Yes that is possable but this document is not describing how to use such an external token agent. That needs to be a separate spec. We did start one called NAPPS in the OpenID foundation but have largely abandoned it due to to the complexity of also needing to change OAuth to support that model.
It can be done but so far only in a relatively closed environment. For applications that need to work with multiple authentication servers the model of doing OAuth via a system browser seems the most strait-forward. We are recommending not doing it and saying if you want to it is out of scope. If you have some specific text you would like to see let us know. > > - Section 5.1 (Embedded User-agents): "Authorization servers SHOULD > consider taking steps to detect and block logins via embedded > user-agents that are not their own, where possible." > > Do you have any recommendation how to do that, other than reading the > (easily modifiable) User-Agent HTTP header? Maybe you could add a > sentence for providing some guidance here. At the moment looking at the browser strings and blacklisting client id of apps that fake them is the only thing we have at the moment. I think Google is currently looking into this and William may have more information. > > > - Section 5.3 (Phishing): > This is indeed concerning; it's very easy to fake the in-app browser. > The draft says: "If all native apps use the techniques described in > this best practice, users will not need to sign-in frequently and thus > should be suspicious of any sign-in request when they should have > already been signed-in." > > That is true, in theory, but sounds like a big "if" to me. Most users > are not savvy enough to be suspicious if a login screen appears and it > looks the same as the one they know. > I admit that I don't have any suggestion how to do it better, but this > part seems to be the most problematic to me for using OAuth on native > devices. I don’t think we have any magic bullet for fake apps. There are some techniques to cookie the browser with the users photo or other information that will be harder to fake outside the real browser. Un-phishable credentials like Fido may be the only long term answer for this, but at least this recommendation of using the system or external browser make using Fido possable where U2F atleast is blocked from webviews currently. John B. > > Best regards > Ulrich > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
