OAuth 2 for Native Apps
Session: Tuesday Session 4 Space B
Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes
Convener: Marcus Scurtescu
Notes-taker(s): Eric Sachs
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
OAUTH2FLOWS
- web server
- useragent
- device
- username & password
NATIVE APP TYPES THAT CAN EMBED OR LAUNCH A BROWSER
- GUI app
- Command Line app
- Phone app
LIMITS OF OAUTH2 USERAGENT FLOW
- it works okay with an embedded browser
- but does not work well if the browser is launched by the app
- user agent does not get refresh token, so app's access to API expires
- WebServer OAuth2 flow is closer for native app needs, however it requires registration and that doesn't make sense for native apps that can't keep secrets
- Also no callbackURL for nativeapps, so may need the "oob" value back from OAuth1
TECHNIQUES
- copy&paste
fallback, but would be nice to work better
- embedded browser
depends on how embedded browser handles cookies and the user experience if the service provider has a two*factor auth process when cookies are not present, like a bank, then it really hurts user experience
- custom scheme
OS dependent, works somewhat on some phones, but hard on Windows especially when there are multiple browsers the user might use
- local web server
Takes more resources on the machine Firewall software can cause problems
- monitor cookies
Requires using hacker techniques to peek into cookie jar
- monitor title
Some OS variance, but works well on Windows More variance in ability for app to bring itself back to the foreground
- browser extension
Too much variance
- use a web-service to request the token
but still requires launching a browser, and still have same problem for app to know when to bring itself to the foreground
- app can keep polling authorization server to see if token is valid, but creates a lot of load and potential DOS alerts on provider
IMPLENTATION OPTIONS
- library
- service
Preferred option like Android Account Manager, but this does not exist on other platforms
- command line tool
- Android use a registered custom scheme, but can't auto-close browser