Google’s OIDC’ish Auth Platforms on Android, Chrome, iOS

Session Topic: Google's OIDC'ish Auth Platforms on Android, Chrome, iOS 

Wednesday 5A

Convener: Breno de Medeiros

Notes-taker(s): Tim W Bray

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Slides: https://docs.google.com/presentation/d/1RAa7fnVixnwjzxymbkMvgNR5srZyA17lr-bEsCR5li4/pub?start=false&loop=false&delayms=3000


 * OIDC is interested in mobile
 * Background (see slides)
 * Discussion of how they got this to work for Google apps on iOS. 1st G app on iOS has to get the credential via browser or native UI. Then it stores the credential in the keychain and subsequent G apps can use that without having to go to a browser or display any other visual artifacts.
 * Deep-diving on details of side-scoping & down-scoping
 * Points out that the technology Google used on iOS has nothing custom or privileged from Apple, so anyone else could in principle build something similar.
 * Discussion of the usefulness of ID Tokens in the cross-client auth scenario.
 * Google hasn’t published all the internal APIs on this yet, but think some of them will be useful.
 * OIDC thinking of adding a secret to a couple of OAuth flows to stifle some corner-case security threats: OAuth symmetric proof of possession for code extension.