[Openid-specs-ab] Best practices for native+server client
Joseph Heenan
joseph at authlete.com
Mon Jul 22 17:32:49 UTC 2019
If this were under FAPI part 2 the native app would need to obtain [at a minimum] the signed request object from the backend, and I believe PKCE then doesn’t add a huge amount (except allowing the server to perform the checks rather than relying on the client).
There might be an argument that the native app should never possess the code verifier and should instead ask the backend to create a code_challenge for it? I’m not sure it makes a massive difference to the security model though.
A spec seems like a good idea to me.
Joseph
> On 22 Jul 2019, at 17:38, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
> So do you think it is a good idea to codify it in a short spec?
> I have seen too many of bad patterns lately :-(
>
> On Mon, Jul 22, 2019 at 10:10 AM Torsten Lodderstedt
> <torsten at lodderstedt.net> wrote:
>>
>>
>>
>>> On 20. Jul 2019, at 21:03, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>>>
>>> An app sending a PKCE request and getting back the code that is being sent to the server with the code verifier that are used by the server component to obtain ID Token feels a bit better.
>>
>> I agree.
>>
>
>
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list