<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; ">
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
Hello,</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
I have a few questions regarding native app validation in the NAPPS flow. I'm not sure whether it has been discussed before or not since I cannot find any discussion with relevant topic from the list.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
1. Who should validate native app</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
In existing NAPPS flow, a native app will obtain an access token to access a Resource Server from AS through TA. Whose responsibility it is to verify whether this particular native app can be given an access token? </div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
TA may be able to verify that a request indeed came from a native app. However, TA cannot verify that this native app is authorized to obtain access token to access RS. I assume this validation needs to be done at AS.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
I remember in the very first draft of the spec (Summer, last year), customUrl was used by AS to verify the requesting native app. When a native app sends a token request to TA, it passes in scope and customUrl. TA will pass the scope and customUrl to AS. AS
then verifies customUrl and make sure the customUrl is pre-registered for an authorized native app.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
2. customUrl vs. Bundle ID</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
One potential issue with the customUrl approach is that TA usually could not validate a native app's customUrl. Instead, TA usually knows a requesting native app's bundle ID. So TA could pass a native app's bundle id to AS for AS to validating whether the native
app associated with the bundle id is authorized to receive access token.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
3. <span style="font-family: Calibri; font-size: medium; ">Multiple native apps to one Resource Server</span></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<span style="font-family: Calibri; font-size: medium; "><br>
</span></div>
<div>The original customUrl approach assumes one Resource Server (scope) could have only one native app (customUrl) associated with it. If we decide to ask AS to validate native app using either customUrl or bundle id, then we need to cover the situation where
multiple native apps running on the same device may ask access token from AS through TA to access the same RS. In this situation, one RS(scope) at AS side may have multiple native apps registered.</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<span style="font-family: Calibri; font-size: medium; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
Any thoughts?</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
Thanks,</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
Emily</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
Emily Xu</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
Identity Management</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
VMware </div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<span style="font-family: Calibri; font-size: medium; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<span style="font-family: Calibri; font-size: medium; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<span style="font-family: Calibri; font-size: medium; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<span style="font-family: Calibri; font-size: medium; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<span style="font-family: Calibri; font-size: medium; "><br>
</span></div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
<div style="color: rgb(0, 0, 0); font-family: Calibri, sans-serif; font-size: 14px; ">
<br>
</div>
</body>
</html>