[Openid-specs-ab] Announcing AppAuth for Android, a client SDK for OAuth 2.0 and OpenID Connect

William Denniss wdenniss at google.com
Sat Feb 27 07:41:53 UTC 2016

Thanks for the feedback. Yes, this is the initial code contribution by the
team. Hopefully it's just the starting point, I'm really excited to see
what we can build together as a community!

The library rolls up and implements a bunch of stuff we've been discussing
over the last 12 months, including PKCE, and the learnings of the NAPPS WG.
Huge thank you to everyone who was part of those discussions and helped
form these ideas. In particular John Bradley and Paul Madsen who have on a
least one occasion flown part-way around the world just so we could
whiteboard a bunch of ideas together, and Nat Sakimura who was always
dialed in to the call, regardless of the time of day.

Would be great to integrate the RP tests into this. I'm hoping we can
automate a lot of them.

There are definitely lots of areas for improvement if people are keen, for
example it would be good to add a complete client side ID Token validation
library. Now that initial code foundation is there, we can discuss where to
take it as a community.  Let's be sure to file issues to track each item,
to avoid any duplicated work.

Also, everyone: please feel free to file bugs in Github as you find them!

On Fri, Feb 26, 2016 at 10:54 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> I think we were perhaps a bit over excited at having the SDK available,
> and meeting our release goal.
> You are correct about the fine tuning of the language and our need to
> describe this as a product of the OIDF rather than as a single member.
> In conversations this week with the GSMA they are interested in
> harmonizing the mobile Connect SDK they have developed as there is a large
> amount of overlap.
> As this move ahead I think this will become a truly important open source
> contribution.
> As to RP testing, Paul Meyer form Ping is working on demo apps using the
> SDK on iOS and Android.
> The SDK may not yet constitute a complete RP on its own.
> It will be worth seeing how the RP tests can be applied to native apps as
> part of our testing the tests.
> I will encourage him to try a demo app that can be used for the RP test.
> John B.
> On Feb 27, 2016, at 12:53 AM, Mike Jones <Michael.Jones at microsoft.com>
> wrote:
> First, congratulations on this achievement!
> I’m writing back with my board secretary hat on and adding the marketing
> committee.  Language matters.  I’m going to suggest some alternative
> language to use in future communications about this, because some of the
> language below could be misinterpreted in a way that leads people to reach
> false conclusions and negatively impacts the OpenID Foundation and its
> reputation.
> In the future, you should probably replace the sentence “The Google
> Identity team has open sourced AppAuth for Android
> <http://openid.github.io/AppAuth-Android/> under the OpenID Foundation”
> with “The Google Identity team has contributed the open source AppAuth
> for Android <http://openid.github.io/AppAuth-Android/> code to the OpenID
> Connect working group”.  Why?  First, because a contribution is always
> made to specific working group and not to the Foundation as a whole.
> Second, because the current language could be misinterpreted as implying an
> endorsement of this implementation by the OpenID Foundation.  The
> Foundation has to be extremely careful not to create an impression that it
> is favoring implementations by one member over those that are created by
> others.  I’m sure you understand that that is critical to the Foundation’s
> reputation.
> Likewise, you need to replace the sentence “We contributed the code to
> the OIDF under the foundation's new contributor license agreement (CLA)”
> with “We contributed the code to the OpenID Connect Working Group under
> the OpenID Foundation’s new contributor license agreement (CLA)”.
> Language matters.  Thanks for listening and trying to be more clear in
> future communications so that accurate perceptions are formed, particularly
> those that might reach a wider audience.
>                                                                 Best
> wishes,
>                                                                 -- Mike
> P.S.  How soon can you run the implementation through the RP certification
> tests?
> *From:* Openid-specs-ab [mailto:openid-specs-ab-bounces at lists.openid.net
> <openid-specs-ab-bounces at lists.openid.net>] *On Behalf Of *William Denniss
> *Sent:* Friday, February 26, 2016 9:58 AM
> *To:* openid-specs-ab at lists.openid.net; Iain McGinniss
> *Subject:* [Openid-specs-ab] Announcing AppAuth for Android, a client SDK
> for OAuth 2.0 and OpenID Connect
> The Google Identity team has open sourced AppAuth for Android
> <http://openid.github.io/AppAuth-Android/> under the OpenID Foundation.
> AppAuth is a client SDK for OAuth and OpenID Connect that follows the best
> practices <https://tools.ietf.org/html/draft-ietf-oauth-native-apps> for
> doing standards-based auth in apps, including in-built support for PKCE
> <https://tools.ietf.org/html/rfc7636> and performing user interaction in custom
> tabs
> <http://developer.android.com/tools/support-library/features.html#custom-tabs>
>  (a feature of Android supported by Chrome
> <https://developer.chrome.com/multidevice/android/customtabs>, and open
> to other browsers).
> You can fork the repository <https://github.com/openid/AppAuth-Android> on
> Github, and reference the Maven dependency
> <https://bintray.com/openid/net.openid/appauth/view>. Comprehensive API
> docs <https://openid.github.io/AppAuth-Android/docs/latest/> are
> available.
> I gave a talk <https://www.youtube.com/watch?v=ppeU8yeI_ks> at the OpenID
> Summit Tokyo last year, which outlines some of the motivations behind this
> effort.
> We contributed the code to the OIDF under the foundation's new contributor
> license agreement (CLA). If you/your company have signed the CLA, feel free
> to contribute by sending a pull request.  Currently myself and my
> colleague Iain McGinniss are the maintainers, and will review all incoming
> pull requests.
> Thanks to the contributors on my team: Iain McGinniss, Steven Wright, Alex
> Chau, and Benjamin Franz for their hard work building the library. To Don
> Thibeau, John Bradley, Adam Dawes and Mike Leszcz for their guidance and
> help getting the OpenID Foundation setup to accept code contributions, Paul
> Meyer and John Bradley for interop validation, and Andy Zmolek for
> advocating this best practice in the Android community.
> Special thanks to Adam Dawes and Eric Sachs for backing the AppAuth effort.
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20160226/56ea096d/attachment.html>

More information about the Openid-specs-ab mailing list