[Openid-specs-ab] Best practices for native+server client
thomasclinganjones at gmail.com
Sat Jul 20 21:02:46 UTC 2019
I have been trying to get my head around this problem to solve the US
Health care requirements as specfied here
https://hl7.org/fhir/smart-app-launch/index.html Note that the focus here
is on IAL2 AAL2 authn which requires some sort of TEE.
You should also note that they have separated the problem into quadrants,
native apps and web apps on one axis and site supplied versus trusted third
party on the other.
I have been focused on the trusted third party app. I sounds like you are
asking about site supplied, but both need to be addressed to assure that
the right criteria an placed on the right problem.
A good approach would to address all four at once to give architects the
ability to make the right choices, but a third axis would be assurance
level. That would be 8 use cases (or 12 if you wanted to address IAL3 as
On Sat, Jul 20, 2019 at 12:11 PM Nat Sakimura via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> So, what is the best practices for native app + server based client? There
> can be several patterns but I don't think we have actually documented them.
> An app getting ID token using PKCE and sending it over to the server does
> not feel right as the binding between the App and the server component is
> pretty weak.
> An app sending a PKCE request and getting back the code that is being sent
> to the server with the code verifier that are used by the server component
> to obtain ID Token feels a bit better.
> Any suggestions?
> Nat Sakimura
> Chairman, OpenID Foundation
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab