-
Notifications
You must be signed in to change notification settings - Fork 0
Episode 024: 18‐06‐2024 Enhancing User Experience in First Party Native Applications
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Godwin Amila, Associate Director / Solutions Architect, WSO2
- Co-Host: Rifaat Shekh-Yusef, Director of Engineering - Identity & Cybersecurity Consulting, EY
In native mobile applications, authentication often involves redirecting users to an external browser to complete the login process. This approach disrupts the seamless user experience that mobile app users expect. It is essential to have a standardized approach to authentication in first-party mobile applications to ensure both security and user experience are optimized
- Enhancing User Experience in First Party Native Applications
- Janssen Project "Mobile DPoP / FIDO" wiki page and Jans Chip Android Project
- Draft OAuth 2.0 for First-Party Native Applications
- Episode 15: New in OAuth: First Party Native Authn and Global Token Revocation
- The Use of Attestation in OAuth 2.0 Dynamic Client Registration
-
The First Party Native Authn draft is the answer to mobile app developers' request for "backchannel" authentication that doesn't risk popping the end user into a browser flow.
-
Reasons to use First Party Native Authn: (1) peer-reviewed protocol developed by security experts; (2) ability to centralize some business logic without impacting app interface; (3) availability of standard libraries in various programming languages; (4) developer productivity;
-
OAuth Authorization Sever ("AS") may want to prevent open dynamic registration for clients that have access to this first party native authn flow, or restrict access for DCR without a valid software statement JWT. As there is no new grant type (the
code
grant type is used at the token endpoint), to restrict access to theauthz_challenge
endpoint it may need to be OAuth protected, requiring an access token with a certain scope. -
If you like this spec, make sure to make your support known by posting on the OAuth email list when a call for adoption happens, which might be sometime soon after the July IETF meeting in Vancouver. Also, callout to implementors to share their experience with the spec.