[Openid-specs-native-apps] Bundle ID?

Emily Xu exu at vmware.com
Fri Aug 1 01:44:37 UTC 2014


I would prefer the raw identifier because this way, we could avoid the requirement of TA to always download app info first.

Thanks,
Emily

From: John Bradley <ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>>
Date: Thursday, July 31, 2014 4:59 PM
To: Emily Xu <exu at vmware.com<mailto:exu at vmware.com>>
Cc: "Preibisch, Sascha H" <Sascha.Preibisch at ca.com<mailto:Sascha.Preibisch at ca.com>>, "openid-specs-native-apps at lists.openid.net<mailto:openid-specs-native-apps at lists.openid.net>" <openid-specs-native-apps at lists.openid.net<mailto:openid-specs-native-apps at lists.openid.net>>
Subject: Re: [Openid-specs-native-apps] Bundle ID?

If we always pass the value to the AS then I suppose that sending the value to the TA via the appinfo endpoint becomes mostly used as a key to look up information about the app for creating a UI, rather than as a security check in itself.

If we follow that line of thought we would need rules for encoding the various versions of package name as a URI safe parameter and avoid naming collisions between the namespaces.

eg ios-(base64url encoded bundle_id)

So the question is if the identifier for the app form a OS perspective is derefrenced to a app name in the TA by a lookup from the app_unfo endpoint, or the raw identifier passed to the AS and mapped to a app at that end?

John B.

On Jul 31, 2014, at 7:47 PM, Emily Xu <exu at vmware.com<mailto:exu at vmware.com>> wrote:

Right. I just confirmed from my AirWatch colleague, TA could validate a native app's bundle id or package name. However, it is AS who holds the truth about which native app (identified by bundle id or package name) is authorized to receive tokens. So we should allow an AS to do the authorization check, but let TA do the bundle id/package name validation.

Thanks,
Emily

From: John Bradley <ve7jtb at ve7jtb.com<mailto:ve7jtb at ve7jtb.com>>
Date: Thursday, July 31, 2014 2:46 PM
To: "Preibisch, Sascha H" <Sascha.Preibisch at ca.com<mailto:Sascha.Preibisch at ca.com>>
Cc: "openid-specs-native-apps at lists.openid.net<mailto:openid-specs-native-apps at lists.openid.net>" <openid-specs-native-apps at lists.openid.net<mailto:openid-specs-native-apps at lists.openid.net>>
Subject: Re: [Openid-specs-native-apps] Bundle ID?

In the draft I worked on prior to CIS, I put in the bundle_id value in the app_info response as a way to identify a native app.
The previous draft relied only on the redirect_uri for the app and that is not as secure as one would hope.

bundle_id i think came from the IOS demo app we were looking at.

We have a couple of choices given that the AS needs to likely support the same app across multiple OS.
The app Info can return multiple os specific values eg bundle_id for iOS and package_name for android, or we could make the AS responsible for informing the app_info endpoint what OS the TA making the request is running on so it can put the correct value in a generic parameter like app_id.

Using a generic app_id will make the app_info endpoint a bit more complicated as it needs to return a response per user+platform vs just per user.

When I picked the name I was personally thinking that multiple values were the way to go.

As a WG we can go either way.

The other thing to consider is that VMWare was thinking that some TA won't be building a desktop to invoke apps.

They would like to have a simple option of using the verified bundle_id or package_name as the identifier for the app in the request to the token endpoint rather than having the TA mapping from bundle_id to scope.

Note I am currently working to update the draft to move the identifier for the client app from a scope value to a separate "azp" (authorized party) parameter in the request to the token endpoint.
Some people felt that overloading scope to identify the app making the request to the TA was a bit too much overloading.

John B

On Jul 31, 2014, at 4:57 PM, Preibisch, Sascha H <Sascha.Preibisch at ca.com<mailto:Sascha.Preibisch at ca.com>> wrote:

I personally think that, whenever possible and appropriate, the goal should be to keep the terminology simple. If the spec. should be generic enough for "any" plattfom I still think a generic name like app_id would work fine.

As you said, the value may not be the same, but the concept behind it is the same (identifying an app).

Sascha

CA Technologies
Sascha Preibisch, Principal Software Engineer
Mobile Access Gateway
sascha.preibisch at ca.com<mailto:sascha.preibisch at ca.com>
________________________________
From: David Waite [david at alkaline-solutions.com<mailto:david at alkaline-solutions.com>]
Sent: Thursday, July 31, 2014 1:04 PM
To: Preibisch, Sascha H
Cc: Chuck Mortimore; Paul Madsen; openid-specs-native-apps at lists.openid.net<mailto:openid-specs-native-apps at lists.openid.net>
Subject: Re: [Openid-specs-native-apps] Bundle ID?

It sounds like the value would not likely be the same on both platforms, so perhaps bundle id is appropriate on iOS and package name (or signing fingerprint) would be appropriate on android?

-DW

On Jul 31, 2014, at 12:18 PM, Preibisch, Sascha H <Sascha.Preibisch at ca.com<mailto:Sascha.Preibisch at ca.com>> wrote:

I had a chat with our iOS and Android developers.

bundle_id is only known on iOS. On Android the equivalent is package_name. The Android developer said that bundle_id would be very confusing in his environment.

Both suggested a generic term  like "app_id" which would be explained in the "Terminology" section.

Regards,
Sascha

CA Technologies
Sascha Preibisch, Principal Software Engineer
Mobile Access Gateway
sascha.preibisch at ca.com<mailto:sascha.preibisch at ca.com>
________________________________
From: openid-specs-native-apps-bounces at lists.openid.net<mailto:openid-specs-native-apps-bounces at lists.openid.net> [openid-specs-native-apps-bounces at lists.openid.net<mailto:openid-specs-native-apps-bounces at lists.openid.net>] on behalf of Chuck Mortimore [cmortimore at salesforce.com<mailto:cmortimore at salesforce.com>]
Sent: Thursday, July 31, 2014 8:23 AM
To: Paul Madsen
Cc: openid-specs-native-apps at lists.openid.net<mailto:openid-specs-native-apps at lists.openid.net>
Subject: Re: [Openid-specs-native-apps] Bundle ID?

iOS.   I believe on Android we'd capture a cert hash, but it's been awhile so the platform may have evolved since our last research

On Jul 31, 2014, at 4:23 AM, Paul Madsen <paul.madsen at gmail.com<mailto:paul.madsen at gmail.com>> wrote:

the latest spec introduces the bundle id parameter as a means of distinguishing applications

http://openid.bitbucket.org/draft-native-application-agent-core-01-working-draft.html<https://urldefense.proofpoint.com/v1/url?u=http://openid.bitbucket.org/draft-native-application-agent-core-01-working-draft.html&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=QMUCjVY9UHNMhU7U8LLSBdCwwjJmrhqydxP2GMraQAU%3D%0A&s=bd5e919e7fbf1b40de984df593ea8e89961600541f5c31b578337aa5b346f1b7>

bundle_id
OPTIONAL (String). This is a string that the TA uses to validate the identity of the invoking application. This is RECOMMENDED if the "type" is "native"

Is this term appropriately generic across the mobile OSs? or is it specific to iOS?

paul


_______________________________________________
Openid-specs-native-apps mailing list
Openid-specs-native-apps at lists.openid.net<mailto:Openid-specs-native-apps at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-native-apps<https://urldefense.proofpoint.com/v1/url?u=http://lists.openid.net/mailman/listinfo/openid-specs-native-apps&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=QMUCjVY9UHNMhU7U8LLSBdCwwjJmrhqydxP2GMraQAU%3D%0A&s=8fc29785f674089a24e266ba0e5178bf5f570735bb1bf418b54fab21dfcee160>
_______________________________________________
Openid-specs-native-apps mailing list
Openid-specs-native-apps at lists.openid.net<mailto:Openid-specs-native-apps at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-native-apps<https://urldefense.proofpoint.com/v1/url?u=http://lists.openid.net/mailman/listinfo/openid-specs-native-apps&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=QMUCjVY9UHNMhU7U8LLSBdCwwjJmrhqydxP2GMraQAU%3D%0A&s=8fc29785f674089a24e266ba0e5178bf5f570735bb1bf418b54fab21dfcee160>

_______________________________________________
Openid-specs-native-apps mailing list
Openid-specs-native-apps at lists.openid.net<mailto:Openid-specs-native-apps at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-native-apps<https://urldefense.proofpoint.com/v1/url?u=http://lists.openid.net/mailman/listinfo/openid-specs-native-apps&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=QMUCjVY9UHNMhU7U8LLSBdCwwjJmrhqydxP2GMraQAU%3D%0A&s=8fc29785f674089a24e266ba0e5178bf5f570735bb1bf418b54fab21dfcee160>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20140801/714fe8cd/attachment.html>


More information about the Openid-specs-native-apps mailing list