[Openid-specs-native-apps] A few questions

Preibisch, Sascha H Sascha.Preibisch at ca.com
Wed Jan 22 05:49:56 UTC 2014 

Hi Paul, John and others!

I read through the second draft of the „draft-native-application-agent-core-01“ document. I find it very interesting and I like the idea of a TA. I think on a long run it is difficult to implement mobile SSO without that if multiple plattforms should be supported.

I would like to leave some comments and ask a few questions though. If they have been discussed please let me know. I have ordered the questions by chapter:

7.2.1
- sounds like the RS needs a list of "associated" secondary apps for each TA. This sounds like a challenging task

7.2.2
- typo? refresh_token should probably be access_token?
- who and how is the list of apps mainted that is accessible for the end-user?
- "if" using a custom url scheme? What else should be used when "code" is in use?
- is "scope" nescessary if a custom url is also and already configured to identify a secondary app?

7.4 Not sure if I really understand it:
- why is the primary refresh_token used to request secondary tokens?
- does the secondary app need to povide any credentials?
- do the secondary apps and the TA need some kind of relationship, trust?
- why should the secondary app not request its own tokens directly using the id_token of the TA to authenticate the user?

7.4.2 "binding the secondary token to the secondary app cryptographically". Sounds difficult

I think one of the biggest callenges will be the secure connection between the TA, the secondary apps and the AS/ RS.

In order to have a separation of concerns I would appreciate a solution which separates between tokens for an app and tokens identifying an authenticated user. Technically there may not be a big difference but I do believe that semantically wise there is.

I believe that whenever an app requests an access_token it needs the users consent. This in form of username/ password or an id_token. I am not so sure about a refresh_token which wasn't issued to the requesting app.

This is it for the moment. I will try to take part at the next telco.

Regards,
Sascha
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20140122/73f20db6/attachment.html>

More information about the Openid-specs-native-apps mailing list