Google’s OIDC’ish Auth Platforms on Android, Chrome, iOS

From IIW

Session Topic: Google's OIDC'ish Auth Platforms on Android, Chrome, iOS

Wednesday 5A

Convener: Breno de Medeiros

Notes-taker(s): Tim W Bray

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Slides: https://docs.google.com/presentation/d/1RAa7fnVixnwjzxymbkMvgNR5srZyA17lr-bEsCR5li4/pub?start=false&loop=false&delayms=3000

  • OIDC is interested in mobile
  • Background (see slides)
  • Discussion of how they got this to work for Google apps on iOS. 1st G app on iOS has to get the credential via browser or native UI. Then it stores the credential in the keychain and subsequent G apps can use that without having to go to a browser or display any other visual artifacts.
  • Deep-diving on details of side-scoping & down-scoping
  • Points out that the technology Google used on iOS has nothing custom or privileged from Apple, so anyone else could in principle build something similar.
  • Discussion of the usefulness of ID Tokens in the cross-client auth scenario.
  • Google hasn’t published all the internal APIs on this yet, but think some of them will be useful.
  • OIDC thinking of adding a secret to a couple of OAuth flows to stifle some corner-case security threats: OAuth symmetric proof of possession for code extension.