[Openid-specs-native-apps] NAPPS F2F Note (2014-10-27)
Nat Sakimura
sakimura at gmail.com
Mon Oct 27 18:38:01 UTC 2014
Date: 20141026
Time: 0900-1130
Location: Googleplex 1950
Attending
=========
Nat Sakimura,
Emily Xu,
Bill Welch,
Marius Scurtescu,
Michael dietz,
David Waite,
David Chase,
William Denniss,
Peter Huang,
Naveen Agarwal,
George Fletcher,
Ashish Jain,
Topics
============
Problem of a bad app registering the same scheme as TA was discussed.
Naveen pointed out that it is easier to phish the user by having an
embedded browser and asking username and password, so the TA being
impersonated is not a significant risk.
In iOS, TA running in a browser may be safer than an app.
New API opened app does not make it possible to detect who is the calling
app so it is not usable for our purpose.
Native Token Agent should be a per-instance confidential client, with OOB
confidential credential.
Advantage of using TA is to obtain the info about the calling app.
Different approach needed for platforms.
iOS Android
----------- ----------------------
code AT
id_tokein id_token
3rd Party code ditto
(for server)
Basic setup would return code, id_token, 3rd Party code.
With additional condition met, it could return AT.
Airwatch example discussed: it is intra-app communication.
- Browser way
- iOS Native App way
- Android Native App way
Some extension to response of OpenID Connect perhaps.
Google does check the registration of custom scheme against existing
protocols and other schemes.
--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20141027/7c421453/attachment.html>
More information about the Openid-specs-native-apps
mailing list