[Openid-specs-ab] Best practices for native+server client
Nat Sakimura
sakimura at gmail.com
Mon Jul 22 17:46:42 UTC 2019
There is a similar thread in OAuth but that is on the JS based app in a browser.
In that case, all the request should actually originate from the
server component and the JS App in the browser should just use http
only, same-site cookies.
When it is a fat app, I am not sure if the same strategy work as the
security context is completely different. I was kind of suggesting
code verifier as the binding key between the fat app and the
server-side.
Like you say, the authorization request can also start from the
server-side. In this case, I guess the fat app will open an in-app
browser tab to kick off the process by calling the server, then the
server starts the regular OAuth/OpenID Connect/FAPI. Note that the
user may opt to spawn an external browser at that point. The
authorization response gets back to the server in that browser and
authorization succeeds in the browser. Now, what should be done to
bind that session to the fat app now? What is the secure way of
binding the fat app to the server-side?
Best,
Nat Sakimura
On Mon, Jul 22, 2019 at 1:32 PM Joseph Heenan <joseph at authlete.com> wrote:
>
> If this were under FAPI part 2 the native app would need to obtain [at a minimum] the signed request object from the backend, and I believe PKCE then doesn’t add a huge amount (except allowing the server to perform the checks rather than relying on the client).
>
> There might be an argument that the native app should never possess the code verifier and should instead ask the backend to create a code_challenge for it? I’m not sure it makes a massive difference to the security model though.
>
> A spec seems like a good idea to me.
>
> Joseph
>
> > On 22 Jul 2019, at 17:38, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> >
> > So do you think it is a good idea to codify it in a short spec?
> > I have seen too many of bad patterns lately :-(
> >
> > On Mon, Jul 22, 2019 at 10:10 AM Torsten Lodderstedt
> > <torsten at lodderstedt.net> wrote:
> >>
> >>
> >>
> >>> On 20. Jul 2019, at 21:03, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
> >>>
> >>> An app sending a PKCE request and getting back the code that is being sent to the server with the code verifier that are used by the server component to obtain ID Token feels a bit better.
> >>
> >> I agree.
> >>
> >
> >
> > --
> > Nat Sakimura (=nat)
> > Chairman, OpenID Foundation
> > http://nat.sakimura.org/
> > @_nat_en
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
More information about the Openid-specs-ab
mailing list