> on behalf
of Filip Skokan <mailto:panva...@gmail.com>
Date: Wednesday, November 28, 2018 at 9:11 AM
To: George Fletcher <mailto:gffle...@aol.com>
Cc: oauth <mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] Dynamic Client Registration with Native Apps
Apologies, I misse
.org/html/rfc8252#section-8.6> still apply.
>> --
>> Annabelle Richard Backman
>> AWS Identity
>>
>>
>> From: OAuth <mailto:oauth-boun...@ietf.org> on
>> behalf of Filip Skokan <mailto:panva...@gmail.com>
>> Date: Wednesday, November 28
lf of Filip Skokan
>
> Date: Wednesday, November 28, 2018 at 9:11 AM
> To: George Fletcher
> Cc: oauth
> Subject: Re: [OAUTH-WG] Dynamic Client Registration with Native Apps
>
> Apologies, I missed the issued in "issued a shared secret", just reading
> "sha
Apologies, I missed the *issued* in "issued a shared secret", just reading
"shared secret" alone is the exact opposite of a per-instance secret. The
rest is clear and as you say it brings the benefit of the secret never
being sent over the wire (except during the initial registration via TLS).
It's "confidential" in that the shared secret is unique to that app
instance registration (as Dennis described in his response). If an
attacker gets my phone and compromises the data stored on my device,
they only get the secret for my device. This is no different than a
server side client
Hi George,
#2 doesn't seem confidential, it's still a secret shared amongst
installations and anyone reverse engineering the apk, extracting the
secret, can form the client_secret_jwt client_assertion with it just fine.
Best,
Filip
On Wed, Nov 28, 2018 at 4:48 PM George Fletcher wrote:
> In
In addition, a few additional patterns are enabled...
1. The native app can generate a public/private key pair and then use
private_secret_jwt as the client credential validation method via the
client credentials flow (defined in OpenID Connect).
2. Maybe more simply, if the native app is
If the secret is dynamically provisioned then you have a confidential
client. Anyone reverse engineering their own installation of the native app
would only extract their own client's credentials, as opposed to the shared
secret of all installations. Having a confidential client means that
Hi,
we just stumbled upon this [1] statement:
"Except when using a mechanism like Dynamic Client Registration
[RFC7591] to provision per-instance secrets, native apps are
classified as public clients ..."
What does this mean for us? Native App + Dynamic Client Registration =
Confidential
