<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">Yes,<div><br></div><div>The perhaps confusingly named "scope" paramater contains the identifier for the client app that is passed to the Token endpoint so that the AS knows what the app is.</div><div><br></div><div>Based on the bundle id and custom uri the TA validates the app and includes the value in its token request for the app.</div><div><br></div><div>There are some use cases where the TA is requesting a token for the app based on invocation from some sort of native desktop app. </div><div>In that case it may need to also request additional scopes when requesting a token.</div><div><br></div><div>The "scope" scope is required, the default_scopes are optional and used if the app itself is not asking for some more specific scopes.</div><div><br></div><div>John B.</div><div><br><div><div>On Jul 7, 2014, at 5:59 AM, Paul Madsen <<a href="mailto:paul.madsen@gmail.com">paul.madsen@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
<font size="+1"><font face="Arial">hi Emily, my understanding is
that the scope parameter serves to identify the application and
distinguish it from others. But there may well be more specific
sets of operations for each application, eg read vs write etc. <br>
<br>
Consequently</font></font> the TA may need to be able to specify
these additional scopes in its requests of the AS. The
default_scopes array informs the TA of what these additional
'scopes' are. The TA would insert these as additional (space
delimited) parameters when it asked the AS for a secondary access
token<br>
<br>
I suspect the value of the mechanism is in supporting 3rd party ASs.<br>
<br>
John?<br>
<br>
paul <br>
<br>
<div class="moz-cite-prefix">On 7/7/14, 12:39 AM, Emily Xu wrote:<br>
</div>
<blockquote cite="mid:CFDF38A6.55111%25exu@vmware.com" type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<div>Hi John,</div>
<div><br>
</div>
<div>I don't think I follow you completely on this. What is the
difference between scope and default_scopes? Why the values for
the two are so different?</div>
<div><br>
</div>
<div>I assume one of them will contain list of resource servers
that this native app could ask token for. The default scope
could be the one if TA pushes access token to client app
(without client app asks first), token for that scope will be
returned.</div>
<div><br>
</div>
<div>Another question, who should be the one who validates the
native app (custom url and bundle id)? I assume AS should do the
validation. If this is true, then custom url and bundle id
should be passed to AS by TA when asking access token for
native app.</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Emily</div>
<div><br>
</div>
<span id="OLK_SRC_BODY_SECTION">
<div style="font-family: Calibri; font-size: 11pt; text-align: left; border-width: 1pt medium medium; border-style: solid none none; padding: 3pt 0in 0in; border-top-color: rgb(181, 196, 223);">
<span style="font-weight:bold">From: </span>John Bradley <<a moz-do-not-send="true" href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>><br>
<span style="font-weight:bold">Date: </span>Sunday, July 6,
2014 4:49 PM<br>
<span style="font-weight:bold">To: </span>Emily Xu <<a moz-do-not-send="true" href="mailto:exu@vmware.com">exu@vmware.com</a>><br>
<span style="font-weight:bold">Cc: </span>"<a moz-do-not-send="true" href="mailto:openid-specs-native-apps@lists.openid.net">openid-specs-native-apps@lists.openid.net</a>"
<<a moz-do-not-send="true" href="mailto:openid-specs-native-apps@lists.openid.net">openid-specs-native-apps@lists.openid.net</a>><br>
<span style="font-weight:bold">Subject: </span>Re: native app
validation<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;">
Looking at this again the scope value returned from app_info
is a special scope that identifies the client app making the
request to the TA.
<div><br>
</div>
<div>It is a single string value that gets added to the
scope parameter in the request. </div>
<div><br>
</div>
<div>I have updated the text to make that clearer.</div>
<div><br>
</div>
<div>I added a new parameter that allows the app_info
endpoint to specify default scopes for applications.
This can be used when the TA is requesting a token to push
to the app without </div>
<div>having the app call the TA first.</div>
<div><br>
</div>
<div>So to revisit your question.</div>
<div><br>
</div>
<div>It would look like</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;
font-size: 14px;">
<pre style="font-family: Calibri, sans-serif;">"apps": [
{
"name": "TestApp1",
"type": "native",</pre>
<pre style="font-family: Calibri, sans-serif;"> "scope": "urn:oauth:testapp1",</pre>
</div>
</div>
<div><span style="font-family: Calibri, sans-serif;
font-size: 14px; "> "default_scopes":
["com.testrs1"],</span></div>
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;
font-size: 14px;">
<div>
<pre style="font-family: Calibri, sans-serif;"> "icon_uri": "<a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://www.example.com/pic1.png&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=IOcogj9VVYIVG08Q5exet3ZcjD14eQZ74sW8TzsMe2w%3D%0A&s=8d88d0f30400fc8e2ebb6da27f97087042901f488d07933245f94322b9d22477">http://www.example.com/pic1.png</a>",
"custom_uri": "<a moz-do-not-send="true" href="testapp1://callback-uri/">testapp1://callback-uri/</a>",</pre>
<pre><font face="Courier"> "bundle_id": "nkdf9hfknfih9enfen"</font><span style="font-family: Calibri, sans-serif; "> </span></pre>
<pre style="font-family: Calibri, sans-serif;"> },
{
"name": "TestApp2",
"type": "native",</pre>
<pre style="font-family: Calibri, sans-serif;"> "scope": "urn:oauth:testapp1",</pre>
<pre style="font-family: Calibri, sans-serif;"><span style="white-space: normal;"> "default_scopes": ["com.testrs2"]</span>
"icon_uri": "<a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://www.example.com/pic2.png&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=IOcogj9VVYIVG08Q5exet3ZcjD14eQZ74sW8TzsMe2w%3D%0A&s=b773acca3bc95051fd4f690cec8fe08f7131a2dcc3b6761c224a77be30b92571">http://www.example.com/pic2.png</a>",
"custom_uri": "<a moz-do-not-send="true" href="testapp2://callback-uri/">testapp2://callback-uri/</a>"</pre>
<pre style="font-family: Calibri, sans-serif;"> "bundle_id": "jdfejfemfefpoemkflen"</pre>
<pre style="font-family: Calibri, sans-serif;"> }</pre>
<pre style="font-family: Calibri, sans-serif;"> ]
</pre>
</div>
<div style="font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-family: Calibri, sans-serif;">What if
a third native app (TestApp3) needs token to access
to TestRS1 and TestRS2. What the AppInfo will look
like?</div>
<div style="font-family: Calibri, sans-serif;">
<pre style="font-family: Calibri, sans-serif;"> {
"name": "TestApp3",
"type": "native",</pre>
<pre style="font-family: Calibri, sans-serif;"><pre style="font-family: Calibri, sans-serif;"> "scope": "urn:oauth:testapp3",</pre></pre>
<pre style="font-family: Calibri, sans-serif;"> "default_scopes": ["com.testrs1"," com.testrs2"],
"icon_uri": "<a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://www.example.com/pic3.png&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=IOcogj9VVYIVG08Q5exet3ZcjD14eQZ74sW8TzsMe2w%3D%0A&s=53243901b8e92d8b52aacc98e188eaed013ff064f0df481ed2bfadfc9701efe7">http://www.example.com/pic3.png</a>",
"custom_uri": "<a moz-do-not-send="true" href="testapp3://callback-uri/">testapp3://callback-uri/</a>"</pre>
<pre style="font-family: Calibri, sans-serif;"> "bundle_id": "oejfiejfefjpefefefeifie"</pre>
</div>
<div style="font-family: Calibri, sans-serif;">
}</div>
</div>
</div>
</div>
<div>
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;
font-size: 14px;">
<div style="font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-family: Calibri, sans-serif;">An app
may request other scopes in it's call to the TA, and
the AS would need to validate those.</div>
<div style="font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-family: Calibri, sans-serif;">It may
be that we should rename scope to something like
app_id_scope or something like that to make the use
clearer.</div>
<div style="font-family: Calibri, sans-serif;">I
didn't change the name just clarified the use.</div>
<div style="font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-family: Calibri, sans-serif;">John B.</div>
<div style="font-family: Calibri, sans-serif;"><br>
</div>
</div>
</div>
</div>
<div><br>
<div>
<div>On Jul 5, 2014, at 10:21 AM, John Bradley <<a moz-do-not-send="true" href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="word-wrap: break-word; -webkit-nbsp-mode:
space; -webkit-line-break: after-white-space;">
Yes that is correct.
<div><br>
</div>
<div>The one thing that your example points out that
needs to be clarified is what separator to use
between scopes in the scope parameter.</div>
<div><br>
</div>
<div>I had assumed that it would be the same as
OAuth being a space separated list. </div>
<div>The other alternative to be more JSON friendly
is to make it an array. </div>
<div><br>
</div>
<div>There are advantages both ways. I don't think
comma separated is a good idea.</div>
<div><br>
</div>
<div>Do people have a view on this. I can update
the text for the parameter today to make it clear
one way or the other. </div>
<div>I think people have used space separated in the
earlier interop though it was not specified in the
earlier aza spec as far as I can see.</div>
<div><br>
</div>
<div>John B.</div>
<div><br>
<div>
<div>On Jul 5, 2014, at 12:37 AM, Emily Xu <<a moz-do-not-send="true" href="mailto:exu@vmware.com">exu@vmware.com</a>>
wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;
font-size: 14px;">
<div style="font-family: Calibri,
sans-serif; ">Hi John,</div>
<div style="font-family: Calibri,
sans-serif; "><br>
</div>
<div style="font-family: Calibri,
sans-serif; ">Thank you for sending me the
latest spec. Hopefully my online signing
of the contributor agreement would work so
I can post the questions to the list.</div>
<div style="font-family: Calibri,
sans-serif; "><br>
</div>
<div style="font-family: Calibri,
sans-serif; ">Actually the latest spec
answered many of my questions. With one
thing that needs clarification.</div>
<div style="font-family: Calibri,
sans-serif; "><br>
</div>
<div style="font-family: Calibri,
sans-serif; ">If I have two native apps,
let's name them TestApp1 and TestApp2,
both need access token to access the same
Resource Server (TestRS1). Let's say the
scope for TestRS1 is com.testrs1. What
will be returned from the AppInfo
endpoint? Like something below? Please pay
special attention about the name and scope
field.</div>
<div style="font-family: Calibri,
sans-serif; "><br>
</div>
<div>
<pre style="font-family: Calibri, sans-serif; ">"apps": [
{
"name": "TestApp1",
"type": "native",
"scope": "com.testrs1",
"icon_uri": "<a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://www.example.com/pic1.png&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=IOcogj9VVYIVG08Q5exet3ZcjD14eQZ74sW8TzsMe2w%3D%0A&s=8d88d0f30400fc8e2ebb6da27f97087042901f488d07933245f94322b9d22477">http://www.example.com/pic1.png</a>",
"custom_uri": "<a moz-do-not-send="true" href="testapp1://callback-uri/">testapp1://callback-uri/</a>",</pre>
<pre><font face="Courier"> "bundle_id": "nkdf9hfknfih9enfen"</font><span style="font-family: Calibri, sans-serif; "> </span></pre>
<pre style="font-family: Calibri, sans-serif; "> }, {
"name": "TestApp2",
"type": "native",</pre>
<pre style="font-family: Calibri, sans-serif; "> "scope": "com.testrs1",
"icon_uri": "<a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://www.example.com/pic2.png&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=IOcogj9VVYIVG08Q5exet3ZcjD14eQZ74sW8TzsMe2w%3D%0A&s=b773acca3bc95051fd4f690cec8fe08f7131a2dcc3b6761c224a77be30b92571">http://www.example.com/pic2.png</a>",
"custom_uri": "<a moz-do-not-send="true" href="testapp2://callback-uri/">testapp2://callback-uri/</a>"</pre>
<pre style="font-family: Calibri, sans-serif; "> "bundle_id": "jdfejfemfefpoemkflen"</pre>
<pre style="font-family: Calibri, sans-serif; "> }</pre>
<pre style="font-family: Calibri, sans-serif; "> ]
</pre>
</div>
<div style="font-family: Calibri,
sans-serif; "><br>
</div>
<div style="font-family: Calibri,
sans-serif; ">What if a third native app
(TestApp3) needs token to access to
TestRS1 and TestRS2. What the AppInfo will
look like?</div>
<div style="font-family: Calibri,
sans-serif; ">
<pre style="font-family: Calibri, sans-serif; "> {
"name": "TestApp3",
"type": "native",</pre>
<pre style="font-family: Calibri, sans-serif; "> "scope": "com.testts1, com.testrs2",
"icon_uri": "<a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://www.example.com/pic3.png&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=IOcogj9VVYIVG08Q5exet3ZcjD14eQZ74sW8TzsMe2w%3D%0A&s=53243901b8e92d8b52aacc98e188eaed013ff064f0df481ed2bfadfc9701efe7">http://www.example.com/pic3.png</a>",
"custom_uri": "<a moz-do-not-send="true" href="testapp3://callback-uri/">testapp3://callback-uri/</a>"</pre>
<pre style="font-family: Calibri, sans-serif; "> "bundle_id": "oejfiejfefjpefefefeifie"</pre>
</div>
<div style="font-family: Calibri,
sans-serif; "> }</div>
<div style="font-family: Calibri,
sans-serif; "><br>
</div>
<div style="font-family: Calibri,
sans-serif; ">Thanks,</div>
<div style="font-family: Calibri,
sans-serif; ">Emily</div>
<div style="font-family: Calibri,
sans-serif; "><br>
</div>
<span id="OLK_SRC_BODY_SECTION" style="font-family: Calibri, sans-serif; ">
<div style="font-family: Calibri;
font-size: 11pt; text-align: left;
border-width: 1pt medium medium;
border-style: solid none none; padding:
3pt 0in 0in; border-top-color: rgb(181,
196, 223);">
<span style="font-weight:bold">From: </span>John
Bradley <<a moz-do-not-send="true" href="mailto:ve7jtb@ve7jtb.com">ve7jtb@ve7jtb.com</a>><br>
<span style="font-weight:bold">Date: </span>Friday,
July 4, 2014 1:40 PM<br>
<span style="font-weight:bold">To: </span>Emily
Xu <<a moz-do-not-send="true" href="mailto:exu@vmware.com">exu@vmware.com</a>><br>
<span style="font-weight:bold">Cc: </span>Ashish
Jain <<a moz-do-not-send="true" href="mailto:ashishjain@vmware.com">ashishjain@vmware.com</a>>,
Paul Madsen <<a moz-do-not-send="true" href="mailto:pmadsen@pingidentity.com">pmadsen@pingidentity.com</a>><br>
<span style="font-weight:bold">Subject:
</span>Fwd: Openid-specs-native-apps
post from
<a moz-do-not-send="true" href="mailto:exu@vmware.com">exu@vmware.com</a>
requires approval<br>
</div>
<div><br>
</div>
<div>
<div style="word-wrap: break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;">
You will need to submit a contribution
agreement to post to the list.
<div>The one Ashish put in only covers
him <a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://openid.net/wordpress-content/uploads/2013/11/Ashish-Jain-Native-App-WG-Contribution-Agreement.pdf&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=qIzRydcbKK0gy5xOc475BldnodzIIhQpKNG5XgyrnkI%3D%0A&s=a4265c94e7b15e19e77fcb669a0616168004a0df8017c7086664ad5df059e815">http://openid.net/wordpress-content/uploads/2013/11/Ashish-Jain-Native-App-WG-Contribution-Agreement.pdf</a></div>
<div><br>
</div>
<div>The link for the contributor
agreement is at: <a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://openid.net/intellectual-property/&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=qIzRydcbKK0gy5xOc475BldnodzIIhQpKNG5XgyrnkI%3D%0A&s=de0d6c9d029cfd5084fdf3b2a3fe2479dd5edcb97e0d8071e140293ba6aeb36f">http://openid.net/intellectual-property/</a></div>
<div><br>
</div>
<div>Once you do that I can release
the post to the list.</div>
<div><br>
</div>
<div>I have some comments inline<br>
<div><br>
</div>
<div>The current Spec is at: <a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://openid.bitbucket.org/draft-native-application-agent-core-01.html&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=qIzRydcbKK0gy5xOc475BldnodzIIhQpKNG5XgyrnkI%3D%0A&s=f297fc78e206a9cbcd353cc5beeab8eca15647cbc3f1843fded8a3fdd2b20c33">http://openid.bitbucket.org/draft-native-application-agent-core-01.html</a></div>
<div><br>
<div>Begin forwarded message:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:
Helvetica;"><b>From: </b></span><span style="font-family:'Helvetica';"><a moz-do-not-send="true" href="mailto:openid-specs-native-apps-owner@lists.openid.net">openid-specs-native-apps-owner@lists.openid.net</a><br>
</span></div>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:
Helvetica;"><b>Subject: </b></span><span style="font-family:'Helvetica';"><b>Openid-specs-native-apps post from
<a moz-do-not-send="true" href="mailto:exu@vmware.com">exu@vmware.com</a> requires approval</b><br>
</span></div>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:
Helvetica;"><b>Date: </b></span><span style="font-family:'Helvetica';">July 4, 2014 at 11:34:44 AM GMT-4<br>
</span></div>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:
Helvetica;"><b>To: </b></span><span style="font-family:'Helvetica';"><a moz-do-not-send="true" href="mailto:openid-specs-native-apps-owner@lists.openid.net">openid-specs-native-apps-owner@lists.openid.net</a><br>
</span></div>
<br>
<div>As list administrator, your
authorization is requested for
the<br>
following mailing list
posting:<br>
<br>
List: <a moz-do-not-send="true" href="mailto:Openid-specs-native-apps@lists.openid.net">Openid-specs-native-apps@lists.openid.net</a><br>
From: <a moz-do-not-send="true" href="mailto:exu@vmware.com">exu@vmware.com</a><br>
Subject: native app
validation<br>
Reason: Post to moderated
list<br>
<br>
At your convenience, visit:<br>
<br>
<a moz-do-not-send="true" href="https://urldefense.proofpoint.com/v1/url?u=http://lists.openid.net/mailman/admindb/openid-specs-native-apps&k=oIvRg1%2BdGAgOoM1BIlLLqw%3D%3D%0A&r=%2BncOwzCBhNISAoJVtNvVMw%3D%3D%0A&m=qIzRydcbKK0gy5xOc475BldnodzIIhQpKNG5XgyrnkI%3D%0A&s=c14b20f7d866a1def4b3fe7602557909d895305fde25120675e6f2b6586b88f3">http://lists.openid.net/mailman/admindb/openid-specs-native-apps</a><br>
<br>
to approve or deny the
request.<br>
<br>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:'Helvetica';
color:rgba(127, 127, 127,
1.0);"><b>From: </b>
</span><span style="font-family:'Helvetica';">Emily
Xu <<a moz-do-not-send="true" href="mailto:exu@vmware.com">exu@vmware.com</a>><br>
</span></div>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:'Helvetica';
color:rgba(127, 127, 127,
1.0);"><b>Subject:
</b></span><span style="font-family:'Helvetica';"><b>native
app validation</b><br>
</span></div>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:'Helvetica';
color:rgba(127, 127, 127,
1.0);"><b>Date: </b>
</span><span style="font-family:'Helvetica';">July
4, 2014 at 11:34:22 AM
GMT-4<br>
</span></div>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:'Helvetica';
color:rgba(127, 127, 127,
1.0);"><b>To: </b>
</span><span style="font-family:'Helvetica';">"<a moz-do-not-send="true" href="mailto:openid-specs-native-apps@lists.openid.net">openid-specs-native-apps@lists.openid.net</a>"
<<a moz-do-not-send="true" href="mailto:openid-specs-native-apps@lists.openid.net">openid-specs-native-apps@lists.openid.net</a>><br>
</span></div>
<br>
<br>
<div style="word-wrap:
break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;
font-size: 14px;
font-family: Calibri,
sans-serif;">
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">Hello,</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">I have a
few questions regarding
native app validation in
the NAPPS flow. I'm not
sure whether it has been
discussed before or not
since I cannot find any
discussion with relevant
topic from the list.</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">1. Who
should validate native app</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">In
existing NAPPS flow, a
native app will obtain an
access token to access a
Resource Server from AS
through TA. Whose
responsibility it is to
verify whether this
particular native app can
be given an access token? </div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">TA may
be able to verify that a
request indeed came from a
native app. However, TA
cannot verify that this
native app is authorized
to obtain access token to
access RS. I assume this
validation needs to be
done at AS.</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">I
remember in the very first
draft of the spec (Summer,
last year), customUrl was
used by AS to verify the
requesting native app.
When a native app sends a
token request to TA, it
passes in scope and
customUrl. TA will pass
the scope and customUrl to
AS. AS then verifies
customUrl and make sure
the customUrl is
pre-registered for an
authorized native app.</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
</div>
</div>
</blockquote>
<div>The info coming back from the
app_info endpoint contains the
scopes that the app can request.
The TA needs to filter the
requested scopes.</div>
<div><br>
</div>
<div>The app_info endpoint
response has optional
"bundle_id" and "custom_uri" for
identifying the app. In the
original spec customurl was in
an example but not the normative
text. I have added it to the
normative text describing the
elements returned in the
response.</div>
<br>
<blockquote type="cite">
<div>
<div style="word-wrap:
break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;
font-size: 14px;
font-family: Calibri,
sans-serif;">
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">2.
customUrl vs. Bundle ID</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">One
potential issue with the
customUrl approach is that
TA usually could not
validate a native app's
customUrl. Instead, TA
usually knows a requesting
native app's bundle ID. So
TA could pass a native
app's bundle id to AS for
AS to validating whether
the native app associated
with the bundle id is
authorized to receive
access token.</div>
</div>
</div>
</blockquote>
<div><br>
</div>
The TA should probably do both.
The custom_uri doesn't validate
the request but it prevents the
response from going to the wrong
app if you can't validate the app
signature.</div>
<div><br>
</div>
<div>Validating the redirect_uri
alone is equivalent to standard
OAuth 2 security for public apps.
I agree we should try and better
that.<br>
<blockquote type="cite">
<div>
<div style="word-wrap:
break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;
font-size: 14px;
font-family: Calibri,
sans-serif;">
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">3. <span style="font-family:
Calibri; font-size:
12px;">Multiple native
apps to one Resource
Server</span></div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><span style="font-family:
Calibri; font-size:
12px;"><br>
</span></div>
<div>The original customUrl
approach assumes one
Resource Server (scope)
could have only one native
app (customUrl) associated
with it. If we decide to
ask AS to validate native
app using either customUrl
or bundle id, then we need
to cover the situation
where multiple native apps
running on the same device
may ask access token from
AS through TA to access
the same RS. In this
situation, one RS(scope)
at AS side may
have multiple native apps
registered.</div>
</div>
</div>
</blockquote>
<div><br>
</div>
I don't think I get the question.
The app info response is an array
of app objects. There is nothing
I can see that stops multiple apps
from asking for the same scope.
It is the TA that knows what the
client app is and filter the
scopes.</div>
<div><br>
</div>
<div>This will be good to take to
the list once we have the IPR
dealt with.</div>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>John B.<br>
<blockquote type="cite">
<div>
<div style="word-wrap:
break-word;
-webkit-nbsp-mode: space;
-webkit-line-break:
after-white-space;
font-size: 14px;
font-family: Calibri,
sans-serif;">
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><span style="font-family:
Calibri; font-size:
12px;"><br>
</span></div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">Any
thoughts?</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">Thanks,</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">Emily</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">Emily Xu</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">Identity
Management</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;">VMware </div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><span style="font-family:
Calibri; font-size:
12px;"><br>
</span></div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><span style="font-family:
Calibri; font-size:
12px;"><br>
</span></div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><span style="font-family:
Calibri; font-size:
12px;"><br>
</span></div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><span style="font-family:
Calibri; font-size:
12px;"><br>
</span></div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><span style="font-family:
Calibri; font-size:
12px;"><br>
</span></div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
<div style="font-family:
Calibri, sans-serif;
font-size: 14px;"><br>
</div>
</div>
<br>
<br>
<br>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:'Helvetica';
color:rgba(127, 127, 127,
1.0);"><b>From: </b>
</span><span style="font-family:'Helvetica';"><a moz-do-not-send="true" href="mailto:openid-specs-native-apps-request@lists.openid.net">openid-specs-native-apps-request@lists.openid.net</a><br>
</span></div>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:'Helvetica';
color:rgba(127, 127, 127,
1.0);"><b>Subject:
</b></span><span style="font-family:'Helvetica';"><b>confirm
076f42cf7666c4fb6036fcd427d6cad59b11b641</b><br>
</span></div>
<div style="margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
margin-left: 0px;">
<span style="font-family:'Helvetica';
color:rgba(127, 127, 127,
1.0);"><b>Date: </b>
</span><span style="font-family:'Helvetica';">July
4, 2014 at 11:34:44 AM
GMT-4<br>
</span></div>
<br>
<br>
If you reply to this message,
keeping the Subject: header
intact,<br>
Mailman will discard the held
message. Do this if the
message is<br>
spam. If you reply to this
message and include an
Approved: header<br>
with the list password in it,
the message will be approved
for posting<br>
to the list. The Approved:
header can also appear in the
first line<br>
of the body of the reply.<br>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span></div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</div>
</span>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Openid-specs-native-apps mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-native-apps@lists.openid.net">Openid-specs-native-apps@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-native-apps">http://lists.openid.net/mailman/listinfo/openid-specs-native-apps</a>
</pre>
</blockquote>
<br>
</div>
</blockquote></div><br></div></body></html>