[Openid-specs-native-apps] Notes from Apr 1 NAAPS Call

Wed Apr 2 12:56:12 UTC 2014

I was on mute for the call, so I didn't get to elaborate on supporting apps that are not pre-registered at the App-Info endpoint. I believe this is an interesting use case, as it enables more 'open' ecosystems (that don't require pre-established trust points). "In a world..." where there is a general purpose TA on the device that can authenticate the user and release access tokens for various services, App developers are free to build enhanced / mashup services without requiring the user to go through OAuth flows for each service.

This may be a bit like UMA where a user defines a profile of data that can be accessed by third parties.

A simple flow may be:

(1)    General purpose TA on mobile collects account authorizations for the user, and stores the refresh tokens and endpoints.

a.       Could be done through the TA on demand (when a service is requested) or

b.      Could be done by Apps that share data by sending access tokens to the TA at the user's request...

(2)    User installs a new App, 'Happy Heart', which asks the TA for tokens for FriendBook (social), and FitnessOnline (online heart rate tracking/graphing/calorie counting).

(3)    User is asked by TA "do you authorize access to FriendBook and FitnessOnline for the App Happy Heart?" - user consents

(4)    User (selects a profile/ accounts at FriendBook to share) authenticates to the TA

(5)    TA obtains refresh/access tokens for the Happy Heart App and returns them.

(6)    Happy Heart App   is able to access the FriendBook and FitnessOne services.

Rather than a Trusted / Registered App ecosystem, trust is left in the hands of the user and the resource servers - the TA just stores account authorizations and App consent. This is a trusted convenience for users as their cloud presence grows, and Apps wish to make use of more and more cloud services for a user.

Feedback more than welcome - a lot of detail was glossed over ;)

Thanks,

MV

From: openid-specs-native-apps-bounces at lists.openid.net [mailto:openid-specs-native-apps-bounces at lists.openid.net] On Behalf Of John Bradley
Sent: Tuesday, April 01, 2014 11:01 AM
To: openid-specs-native-apps at lists.openid.net
Subject: [Openid-specs-native-apps] Notes from Apr 1 NAAPS Call

John Bradley
Klaas Wierenga
Mike Varley

Updated Klaas on activities.

Discussed the options for 3rd party API that were in the email I sent.

Mike wants to support a use case for apps that are not pre-registed in the app-info endpoint.

Token agent multiple personas.   Klaas wouldn't want want to mix his company credential with personal services.
We need to think about allowing the user to select the backing identity.

We may need to look at the call time so that we get more people.

The next openID F2F is at Yahoo preceding IIW.  The NAAPS WG is scheduled from 4 - 5 pm but may start earlier.
Registration: https://www.eventbrite.com/e/openid-foundation-workshop-tickets-1174511997
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20140402/27588333/attachment.html>