[Openid-specs-native-apps] Please review specs
Paul Madsen
paul.madsen at gmail.com
Wed Feb 12 21:20:16 UTC 2014
guys, care to swimlane that model out at websequencediagrams?
paul
On 2/12/14, 3:52 PM, Chuck Mortimore wrote:
> We've been thinking of a model where the RS could validate the
> id_token for access to it's services and exchange it via assertion
> flow if it needed to act on behalf of user at the RS associated with
> the original AS. This sounds inline with that
>
> -cmort
>
>
> On Wed, Feb 12, 2014 at 12:39 PM, John Bradley <ve7jtb at ve7jtb.com
> <mailto:ve7jtb at ve7jtb.com>> wrote:
>
> Hi Chuck,
>
> I will get to this over the next couple of days.
>
> We do have the 3rd party id_tokens that can be used as JWT
> assertions that were added to connect for Google. In principal
> those should be exchanged in the assertion flow for access tokens
> when crossing security domains.
>
> So I suppose the type of token would depend on if the app directly
> accepted access tokens from the AS of the napps agent.
>
> Apps using Google Play services directly use the id_token as a
> access token in general but that places a potential burden on the
> RS to accept tokens of different types. I prefer to use the
> token endpoint to exchange the assertion so the RS only needs to
> worry about access tokens from it's AS whatever those happen to be.
>
> John B.
>
> On Feb 5, 2014, at 11:48 PM, Chuck Mortimore
> <cmortimore at salesforce.com <mailto:cmortimore at salesforce.com>> wrote:
>
>> One other thought - Perhaps instead of opaque access tokens for
>> the apps, we should issue id_tokens that are audience restricted
>>
>>
>> On Wed, Feb 5, 2014 at 3:58 PM, Chuck Mortimore
>> <cmortimore at salesforce.com <mailto:cmortimore at salesforce.com>> wrote:
>>
>> *Comments on Agent Core 1.0*
>>
>> 5.0 - Do we need to make client credentials mandatory? Can
>> we make this a MAY?
>>
>> 7.1 - in general seems redundant to oauth/openid connect,
>> with the exception of the AZA scope. Do we need to respecify
>> all of this?
>>
>> 7.1.1 - Why is response_type=code MUST? Is this oauth carry
>> over? (same as my question on 5.0 I think)
>>
>> 7.4.1/2 - By issuing on the token endpoint, we are basically
>> saying that only administrative authorization models will
>> work. If end-user authorized oauth is being used, the user
>> doesn't have a chance to approve access to and new app.
>> Shouldn't we be performing a new Authorization request,
>> rather than a straight refresh token exchange?
>>
>>
>> *Comments on Agent API bindings 1.0*
>>
>> 2.0 - "Rather than the user individually authenticating and
>> authorizing each native application, they do so only for the
>> authorization agent" - same as my last comment; from an
>> authorization model perspective, this basically kills off
>> end-user approval models with this profile. There's no way
>> for the user to make effective authorization decisions for
>> future unknown applications.
>>
>> 4.0 - this seems to really be the meat of what we should
>> specify, but the entire section is basically silent on
>> detail. For this spec to be successful, shouldn't we take a
>> stand and actually specify interaction patterns?
>>
>> 4.1 - "The TA MUST NOT deliver a secondary access token to an
>> application for which it was not issued." seems at odds with
>> the rest of this section. For example, the custom scheme
>> approach would potentially violate this on iOS. I'm not
>> certain there is a reliable way not to violate this when
>> supporting an TA intiated flow.
>>
>> 4.2 - We should really spec out a Native App intiated flow.
>> It may be the only way we can reliably handle the security
>> contraint in section 4.1. One option could be to issue a
>> public key with the authorization request and then encrypt
>> the use JWE to responds, so if the Native app's custom scheme
>> url were hijacked, the returned token wouldn't bleed to the
>> wrong app.
>>
>>
>>
>>
>>
>> On Wed, Feb 5, 2014 at 1:18 PM, Paul Madsen
>> <paul.madsen at gmail.com <mailto:paul.madsen at gmail.com>> wrote:
>>
>> Both core & bindings are available at
>>
>> http://hg.openid.net/napps/wiki/Home
>>
>> John has some editorial fixes to make but is hoping to
>> combine with those with any more normative changes
>>
>> Our next call is Wed feb 19 @ 6 pm EST
>>
>> Paul
>>
>> _______________________________________________
>> Openid-specs-native-apps mailing list
>> Openid-specs-native-apps at lists.openid.net
>> <mailto:Openid-specs-native-apps at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-native-apps
>>
>>
>>
>> _______________________________________________
>> Openid-specs-native-apps mailing list
>> Openid-specs-native-apps at lists.openid.net
>> <mailto:Openid-specs-native-apps at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-native-apps
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20140212/09b99b07/attachment-0001.html>
More information about the Openid-specs-native-apps
mailing list