OAuth 2 for Native Apps

From IIW

Session: Tuesday Session 4 Space B

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Marcus Scurtescu

Notes-taker(s): Eric Sachs

Tags for the session - technology discussed/ideas considered:


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

OAUTH2FLOWS

  • web server
  • useragent
  • device
  • username & password

NATIVE APP TYPES THAT CAN EMBED OR LAUNCH A BROWSER

  • GUI app
  • Command Line app
  • Phone app

LIMITS OF OAUTH2 USERAGENT FLOW

  • it works okay with an embedded browser
  • but does not work well if the browser is launched by the app
  • user agent does not get refresh token, so app's access to API expires
  • WebServer OAuth2 flow is closer for native app needs, however it requires registration and that doesn't make sense for native apps that can't keep secrets
  • Also no callbackURL for nativeapps, so may need the "oob" value back from OAuth1

TECHNIQUES

  • copy&paste

  fallback, but would be nice to work better

  • embedded browser

  depends on how embedded browser handles cookies and the user experience   if the service provider has a two*factor auth process when cookies are not present, like a bank, then it really hurts user experience

  • custom scheme

 OS dependent, works somewhat on some phones, but hard on Windows especially when there are multiple browsers the user might use

  • local web server

 Takes more resources on the machine  Firewall software can cause problems

  • monitor cookies

 Requires using hacker techniques to peek into cookie jar

  • monitor title

 Some OS variance, but works well on Windows  More variance in ability for app to bring itself back to the foreground

  • browser extension

 Too much variance

  • use a web-service to request the token

 but still requires launching a browser, and still have same problem for app to know when to bring itself to the foreground

  • app can keep polling authorization server to see if token is valid, but creates a lot of load and potential DOS alerts on provider

IMPLENTATION OPTIONS

  • library
  • service

 Preferred option like Android Account Manager, but this does not exist on other platforms

  • command line tool

- Android use a registered custom scheme, but can't auto-close browser