<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;">I have some comments inline<br><div><br></div><div>The current Spec is at: <a href="http://openid.bitbucket.org/draft-native-application-agent-core-01.html">http://openid.bitbucket.org/draft-native-application-agent-core-01.html</a></div><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="margin: 0px;"><span style="font-family: Helvetica;"><b>From: </b></span><span style="font-family: Helvetica;"><a href="mailto:openid-specs-native-apps-owner@lists.openid.net">openid-specs-native-apps-owner@lists.openid.net</a><br></span></div><div style="margin: 0px;"><span style="font-family: Helvetica;"><b>Subject: </b></span><span style="font-family: Helvetica;"><b>Openid-specs-native-apps post from <a href="mailto:exu@vmware.com">exu@vmware.com</a> requires approval</b><br></span></div><div style="margin: 0px;"><span style="font-family: Helvetica;"><b>Date: </b></span><span style="font-family: Helvetica;">July 4, 2014 at 11:34:44 AM GMT-4<br></span></div><div style="margin: 0px;"><span style="font-family: Helvetica;"><b>To: </b></span><span style="font-family: Helvetica;"><a href="mailto:openid-specs-native-apps-owner@lists.openid.net">openid-specs-native-apps-owner@lists.openid.net</a><br></span></div><br><div>As list administrator, your authorization is requested for the<br>following mailing list posting:<br><br> List: <a href="mailto:Openid-specs-native-apps@lists.openid.net">Openid-specs-native-apps@lists.openid.net</a><br> From: <a href="mailto:exu@vmware.com">exu@vmware.com</a><br> Subject: native app validation<br> Reason: Post to moderated list<br><br>At your convenience, visit:<br><br> <a href="http://lists.openid.net/mailman/admindb/openid-specs-native-apps">http://lists.openid.net/mailman/admindb/openid-specs-native-apps</a><br><br>to approve or deny the request.<br><br><div style="margin: 0px;"><span style="font-family: Helvetica; color: rgb(127, 127, 127);"><b>From: </b></span><span style="font-family: Helvetica;">Emily Xu <<a href="mailto:exu@vmware.com">exu@vmware.com</a>><br></span></div><div style="margin: 0px;"><span style="font-family: Helvetica; color: rgb(127, 127, 127);"><b>Subject: </b></span><span style="font-family: Helvetica;"><b>native app validation</b><br></span></div><div style="margin: 0px;"><span style="font-family: Helvetica; color: rgb(127, 127, 127);"><b>Date: </b></span><span style="font-family: Helvetica;">July 4, 2014 at 11:34:22 AM GMT-4<br></span></div><div style="margin: 0px;"><span style="font-family: Helvetica; color: rgb(127, 127, 127);"><b>To: </b></span><span style="font-family: Helvetica;">"<a href="mailto:openid-specs-native-apps@lists.openid.net">openid-specs-native-apps@lists.openid.net</a>" <<a href="mailto:openid-specs-native-apps@lists.openid.net">openid-specs-native-apps@lists.openid.net</a>><br></span></div><br><br><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>Hello,</div><div><br></div><div>I have a few questions regarding native app validation in the NAPPS flow. I'm not sure whether it has been discussed before or not since I cannot find any discussion with relevant topic from the list.</div><div><br></div><div>1. Who should validate native app</div><div><br></div><div>In existing NAPPS flow, a native app will obtain an access token to access a Resource Server from AS through TA. Whose responsibility it is to verify whether this particular native app can be given an access token? </div><div><br></div><div>TA may be able to verify that a request indeed came from a native app. However, TA cannot verify that this native app is authorized to obtain access token to access RS. I assume this validation needs to be done at AS.</div><div><br></div><div>I remember in the very first draft of the spec (Summer, last year), customUrl was used by AS to verify the requesting native app. When a native app sends a token request to TA, it passes in scope and customUrl. TA will pass the scope and customUrl to AS. AS then verifies customUrl and make sure the customUrl is pre-registered for an authorized native app.</div><div><br></div></div></div></blockquote><div>The info coming back from the app_info endpoint contains the scopes that the app can request. The TA needs to filter the requested scopes.</div><div><br></div><div>The app_info endpoint response has optional "bundle_id" and "custom_uri" for identifying the app. In the original spec customurl was in an example but not the normative text. I have added it to the normative text describing the elements returned in the response.</div><br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div></div><div>2. customUrl vs. Bundle ID</div><div><br></div><div>One potential issue with the customUrl approach is that TA usually could not validate a native app's customUrl. Instead, TA usually knows a requesting native app's bundle ID. So TA could pass a native app's bundle id to AS for AS to validating whether the native app associated with the bundle id is authorized to receive access token.</div></div></blockquote><div><br></div>The TA should probably do both. The custom_uri doesn't validate the request but it prevents the response from going to the wrong app if you can't validate the app signature.</div><div><br></div><div>Validating the redirect_uri alone is equivalent to standard OAuth 2 security for public apps. I agree we should try and better that.<br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><br></div><div>3. <span style="font-family: Calibri; font-size: 12px;">Multiple native apps to one Resource Server</span></div><div><span style="font-family: Calibri; font-size: 12px;"><br></span></div><div>The original customUrl approach assumes one Resource Server (scope) could have only one native app (customUrl) associated with it. If we decide to ask AS to validate native app using either customUrl or bundle id, then we need to cover the situation where multiple native apps running on the same device may ask access token from AS through TA to access the same RS. In this situation, one RS(scope) at AS side may have multiple native apps registered.</div></div></blockquote><div><br></div>I don't think I get the question. The app info response is an array of app objects. There is nothing I can see that stops multiple apps from asking for the same scope. It is the TA that knows what the client app is and filter the scopes.</div><div><br></div><div>This will be good to take to the list once we have the IPR dealt with.</div><div><br></div><div>Thanks</div><div><br></div><div>John B.<br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><span style="font-family: Calibri; font-size: 12px;"><br></span></div><div>Any thoughts?</div><div><br></div><div>Thanks,</div><div>Emily</div><div><br></div><div>Emily Xu</div><div>Identity Management</div><div>VMware </div></div></blockquote></div></div></div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-size: 14px; font-family: Calibri, sans-serif;"><div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div><span style="font-family: Calibri; font-size: 12px;"><br></span></div></div></blockquote></div></div></blockquote></div></blockquote></body></html>