OIDC Deployment Working Group

[Eric C Kool-Brown <>]

The list seems like it is still active, I got your email Nathan.

 

I attended the design meeting Nathan mentioned below and learned about a design pattern that one could call a hybrid approach. It is hybrid in two different dimensions.

 

First, the native app itself is a rather thin wrapper around a web view control. The team developing this native app (two actually, for iOS and Android) already has a fully functional web site that uses SAML authentication. The native app will use the community developed AppAuth library to do authentication (https://appauth.io/). It will use the library to establish and maintain an authenticated user session. The OP/IdP will be the REFEDS OIDC plugin for Shibboleth and will employ auth flow and PKCE. Once the app has an ID token it will attach it to the calls to the existing web site which will have been modified to receive and validate the ID token. This is hybrid in the sense that the native app is doing very little other than maintaining authentication session state for the web application and initiating some UI customization (via a custom browser string). The native app will then render the web app’s returned HTML in the web view control.

 

The other part that is hybrid is using an ID token for access. The canonical way to do this would be to present the ID token to an Authorization Server to obtain an OAuth access token with the appropriate scopes. We don’t yet have a centralized AS at the UW and the app team would rather not develop one. Besides, the web app already has access logic built into it. All it needs is proof of the user’s ID, hence an ID token rather than an OAuth token. The web app will validate the ID token using the OP’s public key and then let the user in. The web app also has no need to call the user info endpoint since it already has access to our internal systems of record.

 

We believe this will likely be a common pattern as folks start down the OIDC road. So, two takeaway points:

 

1. Are any other schools designing native apps using a similar approach?
2. Do others think this is a viable design pattern to spread to the community?

 

Thanks,

 

    Eric

 

From: <> On Behalf Of Nathan Dors
Sent: Wednesday, February 26, 2020 8:26 AM
To:
Subject: native mobile apps and shibboleth oidc extension

 

Anyone on the list (*) working on native mobile apps?

 

On a different list, I've received some high-level, yet useful, updates from a campus deploying their first native mobile app for iOS, using OIDC against their Shibboleth IdP/OP.

 

Here at UWash, we have native apps in development for iOS and Android, and they're now working with the authorization code flow + PKCE, based on Shib IdP 3.4.6 and GEANT OIDC extension 1.1.0.

 

Tomorrow, we have a high-level design review, where I get to hear more about the app designs, interaction with users and the system browser, integration with our IdP/OP, and related OIDC/PKCE configuration.

 

If anyone has any questions you'd like me to explore, let me know.

 

* not really sure this list is still available for posting.

 

-Nathan