[Openid-specs-native-apps] Fwd: Web Browser news from WWDC

John Bradley ve7jtb at ve7jtb.com
Mon Jun 15 18:54:31 UTC 2015 

There are two features that will both be available on iOS and Android.

One id giving a native app the ability to invoke a system browser tab with access to all the certificates and other cookie/local storage.

The other new feature is allowing apps to claim https: URI.    
It works slightly differently on iOS and Android but the result seems to be largely the same.

Once you install a app that has claimed a URI that URI is now treated as special by the browser.  
On iOS Apple has always special cased the URI for YouTube and had the browser redirect them to the app.

So you could imaging a AS that uses plain OAuth + PKCE or OAuth + ACDC via browser call in a web Tab that involves no UI flip and is 100% apple approved.

The AS could distribute a native token agent app that claims the URI of the web AS.

The app would transparently just start working with the Native Token Agent.  

What I don’t know is what happens if two apps claim the same URI etc.

The other thing to consider is that with Fido 2.0 it will have a JS API and may work just as well from JS browser tab as from a native app.

There is also a attestation API on Android, that a calling app could possibly use to prove it’s bundle id etc on the device using the browser flow.
I don’t yet know if Apple will have something similar.

So as a thought experiment,  what if doing NAPPS from the app point of view is just the OAuth code + PKCE or OAuth + ACDC plus a possible app attestation.

SaaS apps would still need discovery/MDM to know what enterprise to talk to, but basically any enterprise app doing code + pkce would just work,  and can transparently be redirected to a native token agent if desired.

Or I suppose we could decide that if we can get 99% of what we want without a native token agent.  If that is the case then perhaps some things could be simplified.

John B.



> On Jun 15, 2015, at 10:08 AM, Mike Varley <mike.varley at securekey.com> wrote:
> 
> Right - from what I understand the new tabs do everything the system browser does, and allows access to system browser state. But I only know what I saw from the keynote :)
> 
> So improved UX, not only from a buttons and tabs perspective, but the user's state is now accessible from the system browsers as well. 
> 
> MV
> 
> On Jun 15, 2015, at 8:50 AM, Paul Madsen <paul.madsen at gmail.com <mailto:paul.madsen at gmail.com>> wrote:
> 
>> hey Mike, if true, you are saying the new tabs can 'do everything the system browser does', so the only difference is UX
>> 
>> Im not diminishing the importance of the UX , just want to understand what we gain
>> 
>> On 6/15/15 8:36 AM, Mike Varley wrote:
>>> I seem to recall that both iOS and Android will now allow these embedded web views (i.e., chrome tabs and safari web views) full access to the user's settings: including cookies, stored passwords, local storage, (device certificates as John mentioned), touchID?  the works. And there is the improved UI experience as well, that you pointed out, with "back' buttons that automatically return the user to the calling App.
>>> 
>>> MV
>>> 
>>> 
>>>  
>>> On Jun 15, 2015, at 8:05 AM, Paul Madsen <paul.madsen at gmail.com <mailto:paul.madsen at gmail.com>> wrote:
>>> 
>>>> John, can you expand on
>>>> 
>>>> 'However it seems like we will be able to do significantly more with the browser than we had been thinking.'
>>>> 
>>>> As I see it, the new feature doesn't enable anything *more* other than a better UX on iOS? True?
>>>> 
>>>> Paul
>>>> 
>>>> On 6/12/15 4:38 PM, John Bradley wrote:
>>>>> Have a look at 23min into this video from ADC.
>>>>> 
>>>>> https://developer.apple.com/videos/wwdc/2015/?id=504 <https://developer.apple.com/videos/wwdc/2015/?id=504>
>>>>> This is a significant development.
>>>>> 
>>>>> In talking to others from Google yesterday and today, they have introduced similar functionality in Android rolling out in approximately the same timeframe, and backwards compatible with current versions of Android.
>>>>> 
>>>>> Being able to invoke a web tab without an app flip is a significant change, potentially making the TA in the browser that we have talked about the preferred option on iOS.
>>>>> 
>>>>> People should look at the ACDC draft https://bitbucket.org/openid/napps/wiki/Home <https://bitbucket.org/openid/napps/wiki/Home>.
>>>>> 
>>>>> It may be that NAPPS for enterprise is OAuth using a tab plus PKCE and some additional app verification logic + fido api in the browser.
>>>>> For SasS we may be able to use OAuth + ACDC and discovery in a tab.
>>>>> 
>>>>> It looks like the tab will have access to device certificates solving some peoples issues around that.
>>>>> 
>>>>> We should also be able to do accountchooser.com <http://accountchooser.com/> in the browser tab to perform account discovery.
>>>>> 
>>>>> Now that the changes have landed on iOS and Android we should be good to do testing in the late summer fall.
>>>>> 
>>>>> Please start the discussion on the list.
>>>>> 
>>>>> I recognize that some people will still have use cases for native token agents, so I am not proposing completely eliminating that yet.
>>>>> 
>>>>> However it seems like we will be able to do significantly more with the browser than we had been thinking.
>>>>> 
>>>>> Regards
>>>>> John B.
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> Openid-specs-native-apps mailing list
>>>>> Openid-specs-native-apps at lists.openid.net <mailto:Openid-specs-native-apps at lists.openid.net>
>>>>> http://lists.openid.net/mailman/listinfo/openid-specs-native-apps <http://lists.openid.net/mailman/listinfo/openid-specs-native-apps>
>>>> 
>>>> _______________________________________________
>>>> Openid-specs-native-apps mailing list
>>>> Openid-specs-native-apps at lists.openid.net <mailto:Openid-specs-native-apps at lists.openid.net>
>>>> http://lists.openid.net/mailman/listinfo/openid-specs-native-apps <http://lists.openid.net/mailman/listinfo/openid-specs-native-apps>
>>> 
>> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-native-apps/attachments/20150615/c1390b02/attachment.html>

More information about the Openid-specs-native-apps mailing list