OAuth for Native Apps

From IIW

Tuesday – Session 4 - B

Convener: Marcus Scurtescu

Notes-taker(s): Eric Sachs

A. Tags for the session - technology discussed/ideas considered:


B. Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


OAUTH2FLOWS -web server -useragent -device -username & password

NATIVE APP TYPES THAT CAN EMBED OR LAUNCH A BROWSER - GUI app - Command Line app - Phone app

LIMITS OF OAUTH2 USERAGENT FLOW - it works okay with an embedded browser - but does not work well if the browser is launched by the app - user agent does not get refresh token, so app's access to API expires - WebServer OAuth2 flow is closer for native app needs, however it requires registration and that doesn't make sense for native apps that can't keep secrets -Also no callbackURL for nativeapps, so may need the "oob" value back from OAuth1

TECHNIQUES - copy&paste 

 fallback, but would be nice to work better

- embedded browser 

 depends on how embedded browser handles cookies and the user experience
 if the service provider has a two-factor auth process when cookies are not present, like a bank, then it really hurts user experience

- custom scheme 

OS dependent, works somewhat on some phones, but hard on Windows especially when there are multiple browsers the user might use

- local web server 

Takes more resources on the machine
Firewall software can cause problems

- monitor cookies 

Requires using hacker techniques to peek into cookie jar

- monitor title 

Some OS variance, but works well on Windows
More variance in ability for app to bring itself back to the foreground

- browser extension 

Too much variance

- use a web-service to request the token 

but still requires launching a browser, and still have same problem for app to know when to bring itself to the foreground

- app can keep polling authorization server to see if token is valid, but creates a lot of load and potential DOS alerts on provider

IMPLENTATION OPTIONS - library - service 

Preferred option like Android Account Manager, but this does not exist on other platforms

- command line tool - Android use a registered custom scheme, but can't auto-close browser

Retrieved from "https://iiw.idcommons.net/index.php?title=OAuth_for_Native_Apps&oldid=1781"