[Openid-specs-ab] App2app authorization/authentication

Joseph Heenan joseph at authlete.com
Wed Oct 9 10:24:53 UTC 2019


Thanks Nov! 

This is interesting.  I like how it avoids the need for keys to be explicitly registered. It’s similar to a model I have seen for app2app, the differences are that in your case you have a id_token signed by the client(/self-issued idp), and in the case I saw there’s a JWT signed with a key the first party app has registered as representing the user, which is passed as an extra parameter to the authorization endpoint.

If I’ve understood correctly, I think if you used app2app in this model you’d end up with more app switches than in the model I mentioned, because you'd go:

Third party app -> idp app -> third party app as a self-issued idp -> idp app -> third party app

Whereas app2app is:

Third party app -> idp app -> third party app

(I’m not entirely sure I got that right, I may not have correctly understood which app does which thing if you applied this to app2app - but I think given for app2app to really work the first party idp app needs to claim the http url for the authorization endpoint, which I think then allows some of the redirects to be skipped or done internally to the app.)

It might be good to discuss this a bit more on the WG call tomorrow?

Thanks

Joseph





> On 4 Oct 2019, at 01:33, nov matake <nov at matake.jp> wrote:
> 
> The self-issued IdP model isn’t documented, but one of my clients is using the model for Native App SSO for their apps.
> 
> The basic sequence is described in the attacked image.
> 
> You can also see the actual working app here.
> https://apps.apple.com/us/app/%E3%83%9B%E3%83%83%E3%83%88%E3%83%9A%E3%83%83%E3%83%91%E3%83%BC%E3%83%93%E3%83%A5%E3%83%BC%E3%83%86%E3%82%A3%E3%83%BC-%E3%82%B5%E3%83%AD%E3%83%B3%E4%BA%88%E7%B4%84/id385724144 <https://apps.apple.com/us/app/%E3%83%9B%E3%83%83%E3%83%88%E3%83%9A%E3%83%83%E3%83%91%E3%83%BC%E3%83%93%E3%83%A5%E3%83%BC%E3%83%86%E3%82%A3%E3%83%BC-%E3%82%B5%E3%83%AD%E3%83%B3%E4%BA%88%E7%B4%84/id385724144>
> 
> Above app is a OIDC client of the server-side IdP, but also an client-side IdP of the server-side IdP.
> 
> The user have a key pair on the client side, and when the user is logging into the server side, the server delegates the actual authentication to the client side again.
> 
> It is very similar to FIDO / WebAuthN model, so I feel it’s natural.
> (once you get WebAuthN on iOS, you won’t need self-issued IdP for this purpose anymore though)
> 
> Basically, almost all Native App SSO let client app authenticate user to the server side in some way, so that those technique would be hint for your case too.
> 
> 
> <cdraw.png>
> 
>> On Oct 4, 2019, at 2:21, Joseph Heenan <joseph at authlete.com <mailto:joseph at authlete.com>> wrote:
>> 
>> Hi Nov,
>> 
>> Replies inline:
>> 
>>> On 3 Oct 2019, at 14:15, nov matake <nov at matake.jp <mailto:nov at matake.jp>> wrote:
>>> 
>>> My use-case isn't app2app, but it's making the mobile apps the self-issued IdP for the backend IdP.
>>> 
>>> In that case, the first logged-in app registers a public key to the backend IdP server. After that, when following app send AuthZ request to the server, the server returns another AuthZ request to the app itself. Then the app authenticate user via TouchID etc and acts as self-issued IdP against the backend. Receiving self-issued ID Token, backend IdP authenticates the user and issue code.
>>> 
>>> If the app can acts as IdP of the backend IdP, you won't need vendor-specific way to issue code.
>> 
>> I'm quite interested in this. Is this chaining of a self-issued iDP to a backend iDP an already defined protocol I can read more about somewhere?
>> 
>> I'm not sure if it would be the most natural way to do it; the first party app (the bank app) is generally also an oauth client of the backend idp, and the approaches I've seen so far for app2app leverage that existing client relationship. Sadly I'm not aware of anyone that's publicly documented how their implementation of the first party app interacts with the iDP to implement the app2app case.
>> 
>>> I think George has another way in his native app SSO draft.
>> 
>> I don't yet fully understand George's draft, but it only works where the apps are from the same company, so it does not help in the general app2app scenario (where the apps are from different companies) as far as I know.
>> 
>> Thanks
>> 
>> Joseph
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20191009/d2f782af/attachment.html>


More information about the Openid-specs-ab mailing list