[Openid-specs-ab] [External Sender] Two questions on Native SSO draft

Nat Sakimura nat at sakimura.org
Fri Feb 9 02:03:03 UTC 2024 

Thanks for the feedback!

For 1), it is not a big deal, if implementations are already doing it. I
think it is already kid of clear but making sure that readers understand
that this is a token would suffice.

For 2), stating a security goal in the beginning, e.g. SSO on a single user
device etc., and perhaps a security considerations might be good.

Best,

Nat

On Fri, 9 Feb 2024 at 00:21, George Fletcher <george.fletcher at capitalone.com>
wrote:

> Comments inline...
>
> On Wed, Feb 7, 2024 at 8:19 PM Nat Sakimura via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Hi
>>
>> (Mainly to George)
>>
>> While reading the Native SSO draft, I stumbled on the following
>> questions. If you could clarify them, it would be helpful.
>>
>> 1) Device secret seems to be a token that is returned from the token
>> endpoint. Would it not be more appropriate to be called device_token or
>> something?
>>
> The name device_secret came from an IIW session where I asked about
> naming. Yes it is a token, issued by the authorization server and it is
> intended to be "secret" between that device instance and the Authorization
> server. I'm not sure changing the name at this time would be good given the
> number of deployed implementations.
>
>
>> 2) Is there any provision that assures the user of Native App 1 and
>> Native App 2 is the same?
>>
> Within the specification, there isn't any check. If we think about SSO
> from a web perspective, there would not likely be a check of user identity
> during the SSO flow. We consider use of the same device instance as
> sufficient proof that the user is the same. If Native App 2 requires an
> "identity proof" it could do it's own say faceID challenge before engaging
> the Native SSO spec. So I think this is possible outside of the current
> spec.
>
> I could probably add something to the security considerations section if
> you think that would be useful.
>
>>
>> Best,
>>
>> Nat Sakimura
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>>
>> https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-ab__;!!FrPt2g6CO4Wadw!NK0VUtu5l6sa4r_L_46MditkoJboMNG7GdqxZBx38cDr9oPcoD1kpoWS9CWB5e6t7PqVgTNiyxGi9FiRQRtoJM19Boc430w31M32oKo$
>>
> ------------------------------
>
> The information contained in this e-mail may be confidential and/or
> proprietary to Capital One and/or its affiliates and may only be used
> solely in performance of work or services for Capital One. The information
> transmitted herewith is intended only for use by the individual or entity
> to which it is addressed. If the reader of this message is not the intended
> recipient, you are hereby notified that any review, retransmission,
> dissemination, distribution, copying or other use of, or taking of any
> action in reliance upon this information is strictly prohibited. If you
> have received this communication in error, please contact the sender and
> delete the material from your computer.
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20240209/cac1ed83/attachment.html>

More information about the Openid-specs-ab mailing list