OAuth for Installed Apps

From IIW

Issue/Topic: OAuth for Installed applications

Session: Wednesday 2I

Conference: IIW-11 November 2-4, Mountain View, Complete Notes Page

Convener: Dirk Balfanz

Notes-taker(s): Dirk Balfanz


Discussion notes:

Dirk talked through some lessons Google learned from trying to ship installed applications that use OAuth.

  • The installed application SHOULD launch an external browser (as opposed to using a WebView) when taking the user through the OAuth dance. It's more likely that the user is logged in already, and has other benefits. Some exceptions to the rule include iPhone O/S and other edge use cases.
  • One trick Google found to work across several platforms was for the Service Provider to redirect, after user approval, to a page that puts the OAuth verifier in the title of the HTML document, thus making it show up in the browser application's window's title bar, where it could be picked up by the installed application (thus eliminating the need for manual copy-and-paste by the user).
  • Google recommends that developers NOT embed consumer secrets in installed applications. The Service Provider can suppress the scary warning message that usually appears on the user approval page as a result of the Consumer being anonymous _if_ the Consumer chooses a token delivery method that prevents the token from leaking to other web apps. Once such delivery method is to specify the "oob" callback URL.
  • In some use cases, the user consent page can be suppressed altogether - in particular if the installed app can "help itself" to OAuth tokens in a secure way. One way that Google is doing this is by providing an endpoint that sets an OAuth token as a cookie (without requiring user approval). Installed applications can read the cookie either by intercepting the HTTP response, or by reaching into the browser's cookie jar. Web applications do not have access to this cookie/OAuth token.
  • On certain platforms (such as Android), the device stores the user's credentials, and applications can therefore skip the user authentication step (don't need to ask the user for their username/password). Instead, the app simply asks the O/S to deliver an OAuth token to it, and the O/S does so (after obtaining user consent).