[Openid-specs-native-apps] June 23 Notes from NAAPS call

[John Bradley]

On the Call:
John Bradley
William Dennis
Brian Campbell
Paul Madsen

We discussed the new features being released in iOS9 and Android.

Apple’s SFSafariViewController <https://developer.apple.com/library/safari/releasenotes/General/WhatsNewInSafari/Articles/Safari_9.html> and Android’s Chrome Custom Tabs <https://developer.chrome.com/multidevice/android/customtabs>  allow us to use the regular OAuth/Connect code flow to the enterprise or a SAAS.
SAAS can chain existing federation protocols to enterprises to achieve SSO based on session information in the browser.

Apple’s Universal Links <https://developer.apple.com/library/prerelease/ios/documentation/UserExperience/Conceptual/Handoff/AdoptingHandoff/AdoptingHandoff.html#//apple_ref/doc/uid/TP40014338-CH2-SW10> and similar functionality on Android, AS will be able to better guarantee that redirect_uri are returning codes to a legitimate instance of an app.

ACDC will be useful in some use cases, but is no longer required for NAPPS if we are not using a native app with a refresh token to maintain state.

The feeling was that these changes will allow us to do SSO for native apps without requiring as many changes to the existing protocols.

The recommendation on the call was to focus the main document as a best practices guide for doing Native SSO.

We still need a spec to cover session/device termination from a enterprise to a SAAS.  (SLO) 
We need to document best practices for tenant  discovery using accountchooser.com <http://accountchooser.com/> or native methods like app restrictions on Android.
We need to cover how to use PKCE for the flows to prevent token theft.

The question for the group is if there is a strong desire to proceed with the original plan to extend OAuth/Connect enable a native TA.

John B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20150624/f57d8880/attachment.html>