<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">

<div class="">I'd be very happy to see a set of well-engineered, security-focused client libraries that cover the bang-for-the-buck target audiences.  I don't have any ability to help with that, but +1 the need.</div>

<div class=""><br class="">

</div>

<div class="">Nick</div>

<br class="">

<div>

<blockquote type="cite" class="">

<div class="">On Aug 10, 2016, at 1:42 AM, Adam Dawes via Openid-specs-ab <<a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a>> wrote:</div>

<br class="Apple-interchange-newline">

<div class="">

<div dir="ltr" class="">I just looked through the deck and it seems that most of these relate to OAuth2 based auth flows. At the end, one of the recommendations is to adopt OIDC. 

<div class=""><br class="">

</div>

<div class="">But in our experience, developers also get OIDC wrong far too often. The thing that is the biggest problem is proper ID token verification (issuer and audience checks). I really think that the community would be very well served with excellent

 open source JWT validation libraries on all major frameworks/languages. Google would be very interested in working with others on this problem. Please let me know if you have interest/ideas about how to improve this.</div>

<div class=""><br class="">

</div>

<div class="">The other area that concerns me but doesn't seem to be a major issue yet is clientID spoofing on platforms like iOS. Users don't pay enough attention to consent screens so spoofing another client is an interesting phishing vector.</div>

</div>

<div class="gmail_extra"><br class="">

<div class="gmail_quote">On Tue, Aug 9, 2016 at 10:00 PM, Nat Sakimura via Openid-specs-ab

<span dir="ltr" class=""><<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" class="">openid-specs-ab@lists.openid.net</a>></span> wrote:<br class="">

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

<div lang="JA" link="#0563C1" vlink="#954F72" class="">

<div class="m_-3740045064026154810WordSection1">

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class="">Just found a briefing in Blackhat 2016 titled

<a href="https://www.blackhat.com/us-16/briefings.html#1000-ways-to-die-in-mobile-oauth" target="_blank" class="">

“1000 WAYS TO DIE IN MOBILE OAUTH” </a><u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class=""><u class=""></u> <u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class="">Says: <u class="">

</u><u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class=""><u class=""></u> <u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class="">>  (1) all major identity providers, e.g., Facebook, Google and Microsoft, have re-purposed OAuth for user authentication;”<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class="">> [..snip..]<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class="">> “The result is really worrisome: among the 149 applications that use OAuth, 89 of them (59.7%) were incorrectly implemented and thus vulnerable.<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class=""><u class=""></u> <u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class="">Maybe we should dig in.

<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt" class=""><u class=""></u> <u class=""></u></span></p>

<p class="MsoNormal" align="left" style="text-align:left"><span lang="EN-US" style="font-size:10.0pt;font-family:"MS Gothic"" class="">--<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal" align="left" style="text-align:left"><span lang="EN-US" style="font-size:10.0pt;font-family:"MS Gothic"" class="">PLEASE READ :This e-mail is confidential and intended for the<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal" align="left" style="text-align:left"><span lang="EN-US" style="font-size:10.0pt;font-family:"MS Gothic"" class="">named recipient only. If you are not an intended recipient,<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal" align="left" style="text-align:left"><span lang="EN-US" style="font-size:10.0pt;font-family:"MS Gothic"" class="">please notify the sender  and delete this e-mail.<u class=""></u><u class=""></u></span></p>

<p class="MsoNormal"><span lang="EN-US" class=""><u class=""></u> <u class=""></u></span></p>

</div>

</div>

<br class="">

______________________________<wbr class="">_________________<br class="">

Openid-specs-ab mailing list<br class="">

<a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.<wbr class="">net</a><br class="">

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank" class="">http://lists.openid.net/<wbr class="">mailman/listinfo/openid-specs-<wbr class="">ab</a><br class="">

<br class="">

</blockquote>

</div>

<br class="">

<br clear="all" class="">

<div class=""><br class="">

</div>

-- <br class="">

<div class="gmail_signature" data-smartmail="gmail_signature">

<div dir="ltr" class="">

<div style="line-height:1.5em;padding-top:10px;margin-top:10px;color:rgb(85,85,85);font-family:sans-serif;font-size:small" class="">

<span style="border-width:2px 0px 0px;border-style:solid;border-color:rgb(213,15,37);padding-top:2px;margin-top:2px" class="">Adam Dawes |</span><span style="border-width:2px 0px 0px;border-style:solid;border-color:rgb(51,105,232);padding-top:2px;margin-top:2px" class=""> Sr.

 Product Manager |</span><span style="border-width:2px 0px 0px;border-style:solid;border-color:rgb(0,153,57);padding-top:2px;margin-top:2px" class=""> <a href="mailto:adawes@google.com" target="_blank" class="">adawes@google.com</a> |</span><span style="border-width:2px 0px 0px;border-style:solid;border-color:rgb(238,178,17);padding-top:2px;margin-top:2px" class=""> +1

 650-214-2410</span></div>

<br class="">

</div>

</div>

</div>

_______________________________________________<br class="">

Openid-specs-ab mailing list<br class="">

<a href="mailto:Openid-specs-ab@lists.openid.net" class="">Openid-specs-ab@lists.openid.net</a><br class="">

http://lists.openid.net/mailman/listinfo/openid-specs-ab<br class="">

</div>

</blockquote>

</div>

<br class="">

</body>

</html>