OAuth 2 for Native Apps

Session: Tuesday Session 4 Space B

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Marcus Scurtescu

Notes-taker(s): Eric Sachs

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

OAUTH2FLOWS
 * web server
 * useragent
 * device
 * username & password

NATIVE APP TYPES THAT CAN EMBED OR LAUNCH A BROWSER
 * GUI app
 * Command Line app
 * Phone app

LIMITS OF OAUTH2 USERAGENT FLOW
 * it works okay with an embedded browser
 * but does not work well if the browser is launched by the app
 * user agent does not get refresh token, so app's access to API expires
 * WebServer OAuth2 flow is closer for native app needs, however it requires registration and that doesn't make sense for native apps that can't keep secrets
 * Also no callbackURL for nativeapps, so may need the "oob" value back from OAuth1

TECHNIQUES fallback, but would be nice to work better
 * copy&paste

depends on how embedded browser handles cookies and the user experience if the service provider has a two*factor auth process when cookies are not present, like a bank, then it really hurts user experience
 * embedded browser

OS dependent, works somewhat on some phones, but hard on Windows especially when there are multiple browsers the user might use
 * custom scheme

Takes more resources on the machine Firewall software can cause problems
 * local web server

Requires using hacker techniques to peek into cookie jar
 * monitor cookies

Some OS variance, but works well on Windows More variance in ability for app to bring itself back to the foreground
 * monitor title

Too much variance
 * browser extension

but still requires launching a browser, and still have same problem for app to know when to bring itself to the foreground
 * use a web-service to request the token


 * app can keep polling authorization server to see if token is valid, but creates a lot of load and potential DOS alerts on provider

IMPLENTATION OPTIONS Preferred option like Android Account Manager, but this does not exist on other platforms - Android use a registered custom scheme, but can't auto-close browser
 * library
 * service
 * command line tool