<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:12.7272720336914px"><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Hi All,</span></p><br><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">We had a solid week of working sessions last week. Here are my notes from the final meeting on Thursday at IIW.</span></p><br><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Present at the very end were: John Bradley, Nat Sakimura, Lloyd Burch, Emily Xu, Ashish Jain and William Denniss.  (sorry, I don't have a roll call for the whole meeting, please feel free to reply and add your name plus any comments/notes!)</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap"><br></span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Whiteboard images posted here: <a href="https://plus.google.com/+WilliamDenniss/posts/7aqRumjEaSY?pid=6079042534008594978&oid=109917506981759115980">https://plus.google.com/+WilliamDenniss/posts/7aqRumjEaSY?pid=6079042534008594978&oid=109917506981759115980</a></span></p><br><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">This latest proposal is for NAPPS to use regular OAuth 2.0 flows (protected with </span><a href="https://datatracker.ietf.org/doc/draft-ietf-oauth-spop/" target="_blank" style="text-decoration:none"><span style="font-size:13px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">spop</span></a><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap"> [</span><a href="https://bitbucket.org/wdenniss/oauth-spop/downloads" target="_blank" style="text-decoration:none"><span style="font-size:13px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">latest draft</span></a><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">]) with enhancements to improve SSO on native platforms.</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">It was discussed that the Token Agent could basically be the broker of the OAuth "code", and could be the location where the all the business logic around re-authentication is located (potentially both client and server side logic).</span></p><br><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">For example, if if the user is required to re-authenticate at the start of the day, the TA can facilitate that. Subsequent calls can then mint new codes as per the relevant business logic (e.g. device must have a passcode, or touchID must be entered at the TA to continue).</span></p><br><br><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Both a Native App and the System Browser can potentially play the role of the TA, as their inter-app sharing I/O is similar (custom URL schemes).  The pros and cons were discussed of each model. The attendees were roughly split 50:50 on those who would likely consider a native token agent, and those who preferred the system browser. The NAPPS spec could document both profiles, with some suggestions to help guide people to one or the other.  Here's a list of some </span><span style="font-family:Arial;font-size:13px;line-height:1.15;white-space:pre-wrap">pros and cons that were discussed ('+' is a pro, '-' is a con):</span></p><br><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Native TA:</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">+ Can protect against a bad calling app (as it knows the calling bundle ID)</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">- Unable to protect against a bad TA (the bad TA can register the same URL scheme as the real TA)</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">+ Ability to make native calls, for example to require TouchID to unlock the master token</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">+ Can enforce "lightweight MDM" such as determining if the user has a Passcode / Lockscreen.</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Arial;font-size:13px;white-space:pre-wrap;line-height:1.15">- Must be installed by the user</span><br></p><br><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">System Browser:</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">+ Protects against a bad TA ("https://" calls will only open the system browser)</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">- Unable to protect against a bad calling app, as the callers Bundle ID is not known</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">+ Can be presented on the homescreen via a </span><a href="https://developer.apple.com/library/ios/featuredarticles/iPhoneConfigurationProfileRef/Introduction/Introduction.html" target="_blank" style="text-decoration:none"><span style="font-size:13px;font-family:Arial;text-decoration:underline;vertical-align:baseline;white-space:pre-wrap">configuration profile</span></a><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap"> (which can also bundle certificates, etc) </span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">+ Available on every device, and may be required as a fallback anyway</span></p><br><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">Both profiles have the ability for a "launcher" style page for enterprise apps.  Both have the same I/O capabilities for inter-app communication (URL schemes).</span></p><br><br><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap">If there is broad agreement on the diagrams & description above, we can start to document the functionality of the TA, and </span><span style="font-family:Arial;font-size:12.7272720336914px;line-height:13.5909090042114px;white-space:pre-wrap">then look at questions such as TA discovery and app-info lists. </span><span style="font-family:Arial;font-size:13px;white-space:pre-wrap;line-height:1.15">I'll volunteer to work on the API bindings spec, including the Native TA and System Browser TA profiles.</span></p><p dir="ltr" style="line-height:1.15;margin-top:0pt;margin-bottom:0pt"><span style="font-size:13px;font-family:Arial;vertical-align:baseline;white-space:pre-wrap"><br></span></p></span><div style="font-family:arial,sans-serif;font-size:12.7272720336914px">Best,</div><div style="font-family:arial,sans-serif;font-size:12.7272720336914px">William</div></div>