Google’s OIDC’ish Auth Platforms on Android, Chrome, iOS
Session Topic: Google's OIDC'ish Auth Platforms on Android, Chrome, iOS
Convener: Breno de Medeiros
Notes-taker(s): Tim W Bray
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
- OIDC is interested in mobile
- Background (see slides)
- Discussion of how they got this to work for Google apps on iOS. 1st G app on iOS has to get the credential via browser or native UI. Then it stores the credential in the keychain and subsequent G apps can use that without having to go to a browser or display any other visual artifacts.
- Deep-diving on details of side-scoping & down-scoping
- Points out that the technology Google used on iOS has nothing custom or privileged from Apple, so anyone else could in principle build something similar.
- Discussion of the usefulness of ID Tokens in the cross-client auth scenario.
- Google hasn’t published all the internal APIs on this yet, but think some of them will be useful.
- OIDC thinking of adding a secret to a couple of OAuth flows to stifle some corner-case security threats: OAuth symmetric proof of possession for code extension.