[Openid-specs-ab] [External Sender] Working group review of OpenID Connect Native SSO for Mobile Apps specification

Tom Jones thomasclinganjones at gmail.com
Wed Sep 21 16:17:45 UTC 2022 

George: I understand what issue you are trying to solve. But my comment is
that we need to take the view from the RP.

What is it exactly that the RP needs to know about their registered users
to be able to recognize them no matter what device they are using?

..tom


On Wed, Sep 21, 2022 at 8:57 AM George Fletcher <
george.fletcher at capitalone.com> wrote:

> I agree with you Karl regarding not solving the issue of the user having
> the same app (public client) installed on multiple devices and wanting to
> revoke just one of the devices. Usually this hits snags if the user is
> required to "name" the device.
>
> Of course, Dynamic Client Registration can solve the "identification" of
> the device problem.. but the naming side of it still exists.
>
> Thanks for the clarification on how it's being used. For me the bigger
> question is do we want a spec that solves the cross-device SSO problem (in
> most cases this is a new device use case).
>
> Tom, I think passkeys and authentication at that level is orthogonal to
> this spec. It is addressing how the user authenticates where this spec is
> about sharing the authentication state once the user has authenticated. Is
> that fair?
>
> Thanks,
> George
>
> On Wed, Sep 21, 2022 at 11:36 AM Tom Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> The talk raised larger issues.  Since the big guys support cross device
>> and webauth is device only (AFAIK) how is a RP able to keep track of
>> people if devices/big guys are in the ID mix?
>>
>> ..tom
>>
>>
>> On Wed, Sep 21, 2022 at 8:27 AM Karl McGuinness via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net> wrote:
>>
>>> This talk was more aspirational with cross-device scenarios with
>>> keychain.  We currently only have customers in production using the
>>> intended native app to app (app suite) on a single device use case.
>>>
>>> Interested to hear the feedback.  The lack of interoperable way to tag a
>>> refresh token with “device_id” or “device_name” is a common gap today with
>>> users using the same app (client_id) across their devices  (e.g phone and
>>> tablet) which is much more common with public clients and wanting to revoke
>>> tokens for a specific device that I’m surprised we haven’t resolved yet in
>>> some other OAuth spec (don’t see any registrations in
>>> https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#parameters
>>> <https://urldefense.com/v3/__https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml*parameters__;Iw!!FrPt2g6CO4Wadw!PdVsktzJjFe4Z2zMaBPeGu9YCHqUKAZQ6fKllz26Mb_n35GfATo808AbH3Gs2AllC7dQduAxtgA1cYRVSs_Ykmv8orFHeZ7drUegEfM$>
>>> ).
>>>
>>> -Karl
>>>
>>> On Sep 20, 2022, at 11:02 AM, George Fletcher via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>> *This message originated outside your organization.*
>>>
>>> ------------------------------
>>>
>>> For those that missed this talk (Frictionless authentication with mobile
>>> single-sign-on; https://www.youtube.com/watch?v=8BkblIYjegk
>>> <https://urldefense.com/v3/__https://www.youtube.com/watch?v=8BkblIYjegk__;!!PwKahg!4gaWgD58arjDKiAw8ptJBYOccKxhuF1PoyA2cquMoQ1cLwBYOqmqrU0VIvISxMp0yRn6GSAn3Sq7N2kNuJ6T-q_3ThHocRU$>)
>>> at Identiverse in June... it covers an additional use case for the native
>>> sso spec. I'd like to discuss this aspect as well on 9/22. I suspect some
>>> additional text in the spec may be required to address this use case.
>>>
>>> Thanks,
>>> George
>>>
>>> On Fri, Sep 9, 2022 at 4:46 PM Mike Jones via Openid-specs-ab <
>>> openid-specs-ab at lists.openid.net> wrote:
>>>
>>>> It was decided at yesterday’s working group call to advance the OpenID
>>>> Connect Native SSO for Mobile Apps specification to Implementer’s Draft
>>>> status.  Prior to the foundation-wide review, please review the
>>>> specification at
>>>> https://openid.net/specs/openid-connect-native-sso-1_0.html
>>>> <https://urldefense.com/v3/__https://openid.net/specs/openid-connect-native-sso-1_0.html__;!!FrPt2g6CO4Wadw!I0ljc7o-nQa84JH_sl9lYFQhmv7ta1ezRPgP6r5C0sUc9VCSrnrkisjkNpkO_2ifbwuZ-u6KjtxkbHVafArRiq1A_2JZmvauBSXbCeM$>
>>>>  and file any issues at
>>>> https://bitbucket.org/openid/connect/issues?status=new&status=open
>>>> <https://urldefense.com/v3/__https://bitbucket.org/openid/connect/issues?status=new&status=open__;!!FrPt2g6CO4Wadw!I0ljc7o-nQa84JH_sl9lYFQhmv7ta1ezRPgP6r5C0sUc9VCSrnrkisjkNpkO_2ifbwuZ-u6KjtxkbHVafArRiq1A_2JZmvauesDydW0$>.
>>>> Please complete your reviews in time for the working group call on
>>>> Thursday, September 22nd.
>>>>
>>>>
>>>>
>>>>                                                        -- Mike
>>>>
>>>>
>>>> _______________________________________________
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
>>>>
>>>> https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!I0ljc7o-nQa84JH_sl9lYFQhmv7ta1ezRPgP6r5C0sUc9VCSrnrkisjkNpkO_2ifbwuZ-u6KjtxkbHVafArRiq1A_2JZmvauQIwnTfk$
>>>>
>>>>
>>> ------------------------------
>>>
>>>
>>> The information contained in this e-mail is confidential and/or
>>> proprietary to Capital One and/or its affiliates and may only be used
>>> solely in performance of work or services for Capital One. The information
>>> transmitted herewith is intended only for use by the individual or entity
>>> to which it is addressed. If the reader of this message is not the intended
>>> recipient, you are hereby notified that any review, retransmission,
>>> dissemination, distribution, copying or other use of, or taking of any
>>> action in reliance upon this information is strictly prohibited. If you
>>> have received this communication in error, please contact the sender and
>>> delete the material from your computer.
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!PdVsktzJjFe4Z2zMaBPeGu9YCHqUKAZQ6fKllz26Mb_n35GfATo808AbH3Gs2AllC7dQduAxtgA1cYRVSs_Ykmv8orFHeZ7dBUc-c7E$>
>>>
>>>
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>>> <https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!PdVsktzJjFe4Z2zMaBPeGu9YCHqUKAZQ6fKllz26Mb_n35GfATo808AbH3Gs2AllC7dQduAxtgA1cYRVSs_Ykmv8orFHeZ7dBUc-c7E$>
>>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>>
>> https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!PdVsktzJjFe4Z2zMaBPeGu9YCHqUKAZQ6fKllz26Mb_n35GfATo808AbH3Gs2AllC7dQduAxtgA1cYRVSs_Ykmv8orFHeZ7dBUc-c7E$
>>
>>
> ------------------------------
>
> The information contained in this e-mail is confidential and/or
> proprietary to Capital One and/or its affiliates and may only be used
> solely in performance of work or services for Capital One. The information
> transmitted herewith is intended only for use by the individual or entity
> to which it is addressed. If the reader of this message is not the intended
> recipient, you are hereby notified that any review, retransmission,
> dissemination, distribution, copying or other use of, or taking of any
> action in reliance upon this information is strictly prohibited. If you
> have received this communication in error, please contact the sender and
> delete the material from your computer.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220921/487d952d/attachment.html>

More information about the Openid-specs-ab mailing list