OAuth 2 and Native Apps

Similar documents
sanction Documentation

Using OAuth 2.0 to Access ionbiz APIs

Inland Revenue. Build Pack. Identity and Access Services. Date: 04/09/2017 Version: 1.5 IN CONFIDENCE

How to Configure Authentication and Access Control (AAA)

The OAuth 2.0 Authorization Protocol

Single Sign-On for PCF. User's Guide

Cisco Mobile Skill Manager

CMX Connected Experiences- Social, SMS and Custom Portal Registration Configuration Example

Salesforce Mobile App Security Guide

SSL VPN Web Portal User Guide

The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30

How to Join Skype Meetings

Create and Apply Clientless SSL VPN Policies for Accessing. Connection Profile Attributes for Clientless SSL VPN

Workplace Online Using a standard web browser, simply login at us.awp.autotask.net using the credentials you ve been given.

Introduction Secure Message Center (Webmail, Mobile & Visually Impaired) Webmail... 2 Mobile & Tablet... 4 Visually Impaired...

BIG-IP Access Policy Manager : Portal Access. Version 12.1

1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Tutorial: Building the Services Ecosystem

Administering Jive Mobile Apps for ios and Android

Client Type Windows Linux Mac ios Android

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

ArcGIS Enterprise Security. Gregory Ponto & Jeff Smith

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Grandstream Networks, Inc. Captive Portal Authentication via Twitter

MFA Pilot Instructions

Introduction to T-Mobile ID

Building the Modern Research Data Portal. Developer Tutorial

Warm Up to Identity Protocol Soup

Student Access to Smith s Wood Sports College Remote Applications

Cloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Goverlan Remote Control v7 vs. Microsoft Remote Assistance

Liferay Security Features Overview. How Liferay Approaches Security

Salesforce1 Mobile Security White Paper. Revised: April 2014

Guide for Windows users with Internet Explorer and Firefox

Parallels Remote Application Server

SAML-Based SSO Solution

Monitise. RSA Adaptive Authentication On-Premise Implementation Guide. Partner Information. Monitise Mobile Banking Solution

GOING WHERE NO WAFS HAVE GONE BEFORE

Cookies, sessions and authentication

TIBCO LiveView Web Getting Started Guide

Check to enable generation of refresh tokens when refreshing access tokens

Securing Office 365 with Okta

User Management. Jabber IDs

WEB API. Nuki Home Solutions GmbH. Münzgrabenstraße 92/ Graz Austria F

Beginner s Guide to Cordova and Mobile Application Development

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

WHY CSRF WORKS. Implicit authentication by Web browsers

8.0 Help for Community Managers Release Notes System Requirements Administering Jive for Office... 6

Multi-factor Authentication Instructions

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

Contents Overview... 2 Part I Connecting to the VPN via Windows OS Accessing the Site with the View Client Installing...

PowerExchange for Facebook: How to Configure Open Authentication using the OAuth Utility

SSL VPN Web Portal User Guide

TIBCO LiveView Web Getting Started Guide

Leveraging the Globus Platform in your Web Applications. GlobusWorld April 26, 2018 Greg Nawrocki

APPLICATION INTERFACE

Multi-factor Authentication Instructions

SSL VPN INSTALLATION GUIDE

Advanced Authentication 6.0 includes new features, improves usability, and resolves several previous issues.

ArcGIS Enterprise Security: Advanced. Gregory Ponto & Jeff Smith

Deployment User Guide

VMware Horizon Client for Windows User Guide. Modified on 03 OCT 2017 VMware Horizon Client for Windows 4.6 VMware Horizon Client for Windows 4.6.

WP Voting Plugin - Ohiowebtech Video Extension - Youtube Documentation

Aruba Central Guest Access Application

Single Sign-On Showdown

Advanced API Security

Exploring Chrome Internals. Darin Fisher May 28, 2009

Authentication in the Cloud. Stefan Seelmann

P2_L12 Web Security Page 1

Microsoft OWA 2013 IIS Integration

DPHremote.ucsf.edu for Webconnect Users

ClickToCall SkypeTest Documentation

E POSTBUSINESS API Login-API Reference. Version 1.1

Parallels Remote Application Server

Identity and Data Access: OpenID & OAuth

Let your customers login to your store after pre-approval

VMware Browser Admin Guide Configuring and deploying the VMware Browser

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

CSCE 813 Internet Security Case Study II: XSS

Enterprise Access Gateway Management for Exostar s IAM Platform June 2018

Sticky Notes for Cognos Analytics by Tech Data BSP Software

Partner Center: Secure application model

Leveraging the Globus Platform in your Web Applications

TO ENABLE FINGERPRINT AUTHENTICATION

Microsoft Remote Desktop setup for OSX, ios and Android devices

BT Lancashire Services

How to social login with Aruba controller. Bo Nielsen, CCIE #53075 (Sec) December 2016, V1.00

Table of Contents HOL-1757-MBL-6

Remote Desktop Services

APSCN VPN SETUP F5 VPN October Update

Kerberos and Single Sign On with HTTP

VMware AirWatch Android Platform Guide

Web Application Security. Philippe Bogaerts

MFA Instructions. Getting Started. 1. Go to Apps, select Play Store 2. Search for Microsoft Authenticator 3. Click Install

VMware Horizon Workspace Security Features WHITE PAPER

Integrating with ClearPass HTTP APIs

Transcription:

OAuth 2 and Native Apps Flows While all OAuth 2 flows can be used by native apps, only the user delegation flows will be considered in this document: Web Server, User-Agent and Device flows. The Web Server and User-Agent flows are similar in that information in the browser must be captured by the native app at some point. Transferring control and information from the browser back to the native app is a hard problem. The next section lists techniques that allow that. The Device flow does not have the above problem, but it has a potential session fixation vulnerability. Also, this flow is relatively new and it was not used by native apps so it is not proved in practice. Changes needed by current spec so native apps are supported: Web Server flow define standard result page if redirect_uri is missing make sure unregistered clients are properly supported make sure registered by insecure clients are supported display name parameter may be required User-Agent flow display name parameter may be required Device flow should define standard parameter name for user code display name parameter may be required Information Transfer Techniques After the end user approves that the native application gets access to the requested scopes the user-agent is redirected to the redirect_uri. The result page at the redirect_uri should display the information that the native application needs along with instructions for the end user. This information is a verification code (Web Server flow) or access/refresh tokens (User-Agent flow). The information can also include some client state, if it was initially sent by the client. If the end user denies access, then ideally the result page should also be displayed but the information will be a relevant error code and some explanation for the end user. The following techniques allow native applications to extract the needed information from the result page.

Manual copy-and-paste The result page shows only one piece of text that the end user can copy and then should paste into the native app. Instructions on how to do that should also be provided. The text to be copied could be a single code/token or an encoded data structure. The authorization dance can happen on a different machine and be controller by a separate web server. The native app could instruct the user to go to a URL and grab an activation code from there. The web application at the URL will start the OAuth dance with the same client Id as used by the native app and at the end show an appropriate result page. easy to implement loop is not closed automatically user has to copy-paste or memorize-type Automatic copy-and-paste The result page uses JavaScript and/or Flash to copy the information to the system clipboard. The native application is watching the clipboard in a loop. hard to copy to system clipboard from HTML page, may need flash text copied to clipboard can be seen by other apps, can leak, may need to encrypt native app must ensure it grabs the proper text from clipboard, client state can help requires JavaScript to be enabled in browser to copy to clipboard Custom URI Scheme The native app registers a custom URI scheme that will launch the application itself, or a helper app. The redirect_uri would use this scheme. no standard way to register schemes possible security issues if a newer app grabs an existing scheme

does not work as well on desktop apps as on phones Local Web Server The native app starts a local web server on some available port and the redirect_uri will point to this server. native app needs to embed a web server local firewall may block access to local web server Embedded Browser The native app embeds a browser. good integration with native app, no focus issues embedded browser uses different cookie jar, no active session, user forced to login (apparently on Mac and iphone cookies are shared by embedded browser) no browser plugins present, user may have difficulties to login probably no username/password auto-completion if some form of strong auth is used once per browser the user is forced to do it again what is embedded may not be the user s preferred browser does not work with CLI apps user still enters credentials in native app Monitor Cookies The native app watches the cookie jar of the browser it launched. The result page will save the information to a cookie using JavaScript. each browser saves cookies differently access to cookie files cannot be synchronized

requires JavaScript to be enabled in browser to save cookie Monitor Window Title The native application launches a browser and then keeps tracking the process and the corresponding OS window title. The result page should make sure the information shows up in the window title. only shorter text can be transferred no guarantee that each window manager or browser will display the title consistently Browser Extension The native app relies on a browser extension it can communicate with. The extension notices when the result page is rendered, extracts the information and passes it to the native app. only method that can close the loop even if user wanders off or closes browser extensions must be created for all browser user needs to install extension Types of Result Pages Dynamic web page controlled by the native app publisher on some external web server. Default dynamic web page provided by the authorization server. Dynamic web page controlled by the native app on local machine. Custom scheme URI that invokes native app or helper. Static HTML page on local machine. Types of Native Apps GUI Desktop App CLI Desktop App Smart Phone App

Technique vs Flow Web Server User-Agent Manual copy-paste Yes No 1 Automatic copy-paste Yes Yes 2 Custom Scheme Yes Yes Local Server Yes Yes Embedded Browser Yes Yes Monitor Cookie Yes Yes 2 Monitor Title Yes No 3 Extension Yes Yes Notes: 1. Access token, expiry time and potentially refresh token all would have to be copied. May not be practical. 2. Important tokens could be leaked. 3. Information probably too long to fit into window title. Technique vs Native App Type GUI Desktop CLI Desktop Smart Phone Manual copy-paste Yes Yes No 1 Automatic copy-paste Yes Yes? Custom Scheme Yes Yes Yes 2 Local Server Yes Yes No Embedded Browser Yes No Yes Monitor Cookie Yes Yes? Monitor Title Yes Yes No Extension Yes Yes No Notes:

1. Could work for simple verification code. Approval can even be done on a different computer. 2. This seems to work particularly well for phone apps.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback