[Openid-specs-ab] Submission: Native SSO for Mobile Apps (txt and xml)

Torsten Lodderstedt torsten at lodderstedt.net
Sat Mar 9 14:58:09 UTC 2019

Hi George, 

I read your proposal and I (believe to) understand that the device secret is introduced as kind of a device identifier (+ some additional data) grouping tokens issued to different apps residing on the same device.

A question popped up: Why do you use an id token and the token exchange to obtain fresh access tokens? Wouldn't it be sufficient to share the refresh token among those apps? Even if the refresh token is rotated, the legit apps are supposed to share some state on the device, so any of those apps could use the currently valid refresh token to perform the flow (again).  

best regards,

> Am 08.01.2019 um 00:22 schrieb George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net>:
> Per the working group call today, bumping to the top of the list.
> -------- Forwarded Message --------
> Return-Path: 	<openid-specs-ab-bounces at lists.openid.net>
> Received: 	from silver.osuosl.org (mpq410.aol.prodcr.mail.ne1.yahoo.com []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaiw-mbd02.mx.aol.com (Internet Inbound) with ESMTPS id 15F89700000B2 for <gffletch at aol.com>; Fri, 22 Jun 2018 13:30:26 -0400 (EDT)
> X-Apparently-To: 	gffletch at aol.com; Fri, 22 Jun 2018 17:30:25 +0000
> Date: 	Fri, 22 Jun 2018 13:30:08 -0400
> User-Agent: 	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
> Subject: 	[Openid-specs-ab] Submission: Native SSO for Mobile Apps (txt and xml)
> From: 	George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net>
> Reply-To: 	George Fletcher <gffletch at aol.com>
> Sender: 	"Openid-specs-ab" <openid-specs-ab-bounces at lists.openid.net>
> Per the notes from Thursday's OpenID Connect working group call, here are text and xml formatted version of the Native SSO for Mobile apps spec.
> Please note, the core text is here but this is no where near final. Note that the text for additions for dynamic client registration and other IANA registrations are text from the "front channel logout" spec. I left the sections there as they will likely be needed.
> The purpose here is to get the core text in the proper format.
> Thanks,
> George
> -- 
> Identity Standards Architect
> Verizon Media                     Work: george.fletcher at oath.com
> Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
> Office: +1-703-265-2544           Photos: http://georgefletcher.photography
> <openid-connect-native-sso-1_0.txt><openid-connect-native-sso-1_0.xml><Attached Message Part.txt>_______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3923 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190309/d85cac17/attachment.p7s>

More information about the Openid-specs-ab mailing list