[Openid-specs-ab] Best practices for native+server client

Nat Sakimura sakimura at gmail.com
Sun Jul 21 14:59:10 UTC 2019


Yes. I am talking about the combination of the site supplied mobile
app + web backend.
Also, the user authentication is handled by an external IdP.

I will have a look at the link you gave.

Thanks. Regards

Nat

On Sat, Jul 20, 2019 at 5:02 PM Tom Jones <thomasclinganjones at gmail.com> wrote:
>
> I have been trying to get my head around this problem to solve the US Health care requirements as specfied here  https://hl7.org/fhir/smart-app-launch/index.html  Note that the focus here is on IAL2 AAL2 authn which requires some sort of TEE.
> You should also note that they have separated the problem into quadrants, native apps and web apps on one axis and site supplied versus trusted third party on the other.
> I have been focused on the trusted third party app. I sounds like you are asking about site supplied, but both need to be addressed to assure that the right criteria an placed on the right  problem.
> A good approach would to address all four at once to give architects the ability to make the right choices, but a third axis would be assurance level. That would be 8 use cases (or 12 if you wanted to address IAL3 as well).
> ..tom
> Peace ..tom
>
>
> On Sat, Jul 20, 2019 at 12:11 PM Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>>
>> So, what is the best practices for native app + server based client? There can be several patterns but I don't think we have actually documented them.
>>
>> An app getting ID token using PKCE and sending it over to the server does not feel right as the binding between the App and the server component is pretty weak.
>>
>> An app sending a PKCE request and getting back the code that is being sent to the server with the code verifier that are used by the server component to obtain ID Token feels a bit better.
>>
>> Any suggestions?
>>
>> Nat Sakimura
>> Chairman, OpenID Foundation
>> https://nat.sakimura.org
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab



-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en


More information about the Openid-specs-ab mailing list