OAuth for Native Apps

Tuesday – Session 4 - B

Convener: Marcus Scurtescu

Notes-taker(s): Eric Sachs

A.	Tags for the session - technology discussed/ideas considered:

B.	Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

OAUTH2FLOWS -web server -useragent -device -username & password

NATIVE APP TYPES THAT CAN EMBED OR LAUNCH A BROWSER - GUI app - Command Line app - Phone app

LIMITS OF OAUTH2 USERAGENT FLOW - it works okay with an embedded browser - but does not work well if the browser is launched by the app - user agent does not get refresh token, so app's access to API expires - WebServer OAuth2 flow is closer for native app needs, however it requires registration and that doesn't make sense for native apps that can't keep secrets -Also no callbackURL for nativeapps, so may need the "oob" value back from OAuth1

TECHNIQUES - copy&paste fallback, but would be nice to work better

- embedded browser depends on how embedded browser handles cookies and the user experience if the service provider has a two-factor auth process when cookies are not present, like a bank, then it really hurts user experience

- custom scheme OS dependent, works somewhat on some phones, but hard on Windows especially when there are multiple browsers the user might use

- local web server Takes more resources on the machine Firewall software can cause problems

- monitor cookies Requires using hacker techniques to peek into cookie jar

- monitor title Some OS variance, but works well on Windows More variance in ability for app to bring itself back to the foreground

- browser extension Too much variance

- use a web-service to request the token but still requires launching a browser, and still have same problem for app to know when to bring itself to the foreground

- app can keep polling authorization server to see if token is valid, but creates a lot of load and potential DOS alerts on provider

IMPLENTATION OPTIONS - library - service Preferred option like Android Account Manager, but this does not exist on other platforms - command line tool - Android use a registered custom scheme, but can't auto-close browser