[Openid-specs-ab] Best practices for native+server client

Tom Jones thomasclinganjones at gmail.com
Sun Jul 21 18:03:45 UTC 2019

I don't think that applies to health care. (altho it could if the authn
were IAL2 certified - i just don't see that happening.)
So the model i have in mind is that the user visits a csp and gets a
credential that is stored on their machine.
>From that time on the user just authenticates to their phone and that act
(gesture, whatever) releases the cred to the site.
The CSP is not involved in authentication, just the access to the local TEE.
Peace ..tom

On Sun, Jul 21, 2019 at 7:59 AM Nat Sakimura <sakimura at gmail.com> wrote:

> Yes. I am talking about the combination of the site supplied mobile
> app + web backend.
> Also, the user authentication is handled by an external IdP.
> I will have a look at the link you gave.
> Thanks. Regards
> Nat
> On Sat, Jul 20, 2019 at 5:02 PM Tom Jones <thomasclinganjones at gmail.com>
> wrote:
> >
> > I have been trying to get my head around this problem to solve the US
> Health care requirements as specfied here
> https://hl7.org/fhir/smart-app-launch/index.html  Note that the focus
> here is on IAL2 AAL2 authn which requires some sort of TEE.
> > You should also note that they have separated the problem into
> quadrants, native apps and web apps on one axis and site supplied versus
> trusted third party on the other.
> > I have been focused on the trusted third party app. I sounds like you
> are asking about site supplied, but both need to be addressed to assure
> that the right criteria an placed on the right  problem.
> > A good approach would to address all four at once to give architects the
> ability to make the right choices, but a third axis would be assurance
> level. That would be 8 use cases (or 12 if you wanted to address IAL3 as
> well).
> > ..tom
> > Peace ..tom
> >
> >
> > On Sat, Jul 20, 2019 at 12:11 PM Nat Sakimura via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
> >>
> >> So, what is the best practices for native app + server based client?
> There can be several patterns but I don't think we have actually documented
> them.
> >>
> >> An app getting ID token using PKCE and sending it over to the server
> does not feel right as the binding between the App and the server component
> is pretty weak.
> >>
> >> An app sending a PKCE request and getting back the code that is being
> sent to the server with the code verifier that are used by the server
> component to obtain ID Token feels a bit better.
> >>
> >> Any suggestions?
> >>
> >> Nat Sakimura
> >> Chairman, OpenID Foundation
> >> https://nat.sakimura.org
> >> _______________________________________________
> >> Openid-specs-ab mailing list
> >> Openid-specs-ab at lists.openid.net
> >> http://lists.openid.net/mailman/listinfo/openid-specs-ab
> --
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190721/ec8602f2/attachment.html>

More information about the Openid-specs-ab mailing list