[Openid-specs-ab] Best practices for native+server client
Tom Jones
thomasclinganjones at gmail.com
Mon Jul 22 17:53:41 UTC 2019
Are you saying that the ukob spec addresses the communication between a sp
and the sp software running on the users phone?
That is the topic of a code of conduct currently under development in us
health care. It would be good to compare notes.
Since this is regarded as internal messaging I am not sure it is an
appropriate subject for standardization. Best practice perhaps.
thx ..Tom (mobile)
On Mon, Jul 22, 2019, 10:33 AM Joseph Heenan via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> If this were under FAPI part 2 the native app would need to obtain [at a
> minimum] the signed request object from the backend, and I believe PKCE
> then doesn’t add a huge amount (except allowing the server to perform the
> checks rather than relying on the client).
>
> There might be an argument that the native app should never possess the
> code verifier and should instead ask the backend to create a code_challenge
> for it? I’m not sure it makes a massive difference to the security model
> though.
>
> A spec seems like a good idea to me.
>
> Joseph
>
> > On 22 Jul 2019, at 17:38, Nat Sakimura via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> >
> > So do you think it is a good idea to codify it in a short spec?
> > I have seen too many of bad patterns lately :-(
> >
> > On Mon, Jul 22, 2019 at 10:10 AM Torsten Lodderstedt
> > <torsten at lodderstedt.net> wrote:
> >>
> >>
> >>
> >>> On 20. Jul 2019, at 21:03, Nat Sakimura via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> >>>
> >>> An app sending a PKCE request and getting back the code that is being
> sent to the server with the code verifier that are used by the server
> component to obtain ID Token feels a bit better.
> >>
> >> I agree.
> >>
> >
> >
> > --
> > Nat Sakimura (=nat)
> > Chairman, OpenID Foundation
> > http://nat.sakimura.org/
> > @_nat_en
> > _______________________________________________
> > Openid-specs-ab mailing list
> > Openid-specs-ab at lists.openid.net
> > http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190722/8a3083f3/attachment.html>
More information about the Openid-specs-ab
mailing list