[Openid-specs-ab] Submission: Native SSO for Mobile Apps (txt and xml)

Sat Mar 9 16:08:01 UTC 2019

Hi Torsten,

Thanks so much for reading through the proposal!

I wanted to ensure that each client had it's own refresh_token. I 
consider refresh_tokens to be bound to the client_id of the client both 
for metric purposes and well as security. For instance, if a client_id 
starts mis-behaving I want to be able to disable the client_id and in 
doing so effectively revoke all tokens issued to that client_id.

Maybe not required, but that was my rationale:)

Thanks,
George

On 3/9/19 9:58 AM, Torsten Lodderstedt wrote:
> Hi George,
>
> I read your proposal and I (believe to) understand that the device secret is introduced as kind of a device identifier (+ some additional data) grouping tokens issued to different apps residing on the same device.
>
> A question popped up: Why do you use an id token and the token exchange to obtain fresh access tokens? Wouldn't it be sufficient to share the refresh token among those apps? Even if the refresh token is rotated, the legit apps are supposed to share some state on the device, so any of those apps could use the currently valid refresh token to perform the flow (again).
>
> best regards,
> Torsten.
>    
>
>> Am 08.01.2019 um 00:22 schrieb George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net>:
>>
>> Per the working group call today, bumping to the top of the list.
>>
>>
>> -------- Forwarded Message --------
>> Return-Path: 	<openid-specs-ab-bounces at lists.openid.net>
>> Received: 	from silver.osuosl.org (mpq410.aol.prodcr.mail.ne1.yahoo.com [140.211.166.136]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mtaiw-mbd02.mx.aol.com (Internet Inbound) with ESMTPS id 15F89700000B2 for <gffletch at aol.com>; Fri, 22 Jun 2018 13:30:26 -0400 (EDT)
>> X-Apparently-To: 	gffletch at aol.com; Fri, 22 Jun 2018 17:30:25 +0000
>> Date: 	Fri, 22 Jun 2018 13:30:08 -0400
>> User-Agent: 	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
>> Subject: 	[Openid-specs-ab] Submission: Native SSO for Mobile Apps (txt and xml)
>> From: 	George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net>
>> Reply-To: 	George Fletcher <gffletch at aol.com>
>> Sender: 	"Openid-specs-ab" <openid-specs-ab-bounces at lists.openid.net>
>>
>>
>>
>> Per the notes from Thursday's OpenID Connect working group call, here are text and xml formatted version of the Native SSO for Mobile apps spec.
>>
>> Please note, the core text is here but this is no where near final. Note that the text for additions for dynamic client registration and other IANA registrations are text from the "front channel logout" spec. I left the sections there as they will likely be needed.
>>
>> The purpose here is to get the core text in the proper format.
>>
>> Thanks,
>> George
>>
>>
>>
>> -- 
>> Identity Standards Architect
>> Verizon Media                     Work: george.fletcher at oath.com
>> Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
>> Office: +1-703-265-2544           Photos: http://georgefletcher.photography
>>
>> <openid-connect-native-sso-1_0.txt><openid-connect-native-sso-1_0.xml><Attached Message Part.txt>_______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190309/8cbfddb7/attachment.html>