OAuth 2.0 for Native Apps
RFC 8252

Document Type RFC - Best Current Practice (October 2017; No errata)
Updates RFC 6749
Also known as BCP 212
Last updated 2017-10-04
Replaces draft-wdenniss-oauth-native-apps
Stream IETF
Formats plain text pdf html bibtex
Reviews
Stream WG state Submitted to IESG for Publication (wg milestone: Nov 2016 - Submit 'OAuth 2.0 fo... )
Document shepherd Hannes Tschofenig
Shepherd write-up Show (last changed 2017-03-07)
IESG IESG state RFC 8252 (Best Current Practice)
Consensus Boilerplate Yes
Telechat date
Responsible AD Kathleen Moriarty
Send notices to Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
IANA IANA review state Version Changed - Review Needed
IANA action state No IC
Internet Engineering Task Force (IETF)                        W. Denniss
Request for Comments: 8252                                        Google
BCP: 212                                                      J. Bradley
Updates: 6749                                              Ping Identity
Category: Best Current Practice                             October 2017
ISSN: 2070-1721

                       OAuth 2.0 for Native Apps

Abstract

   OAuth 2.0 authorization requests from native apps should only be made
   through external user-agents, primarily the user's browser.  This
   specification details the security and usability reasons why this is
   the case and how native apps and authorization servers can implement
   this best practice.

Status of This Memo

   This memo documents an Internet Best Current Practice.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Further information on
   BCPs is available in Section 2 of RFC 7841.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   https://www.rfc-editor.org/info/rfc8252.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Denniss & Bradley         Best Current Practice                 [Page 1]
RFC 8252                OAuth 2.0 for Native Apps           October 2017

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Notational Conventions  . . . . . . . . . . . . . . . . . . .   3
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   4.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
     4.1.  Authorization Flow for Native Apps Using the Browser  . .   5
   5.  Using Inter-App URI Communication for OAuth . . . . . . . . .   6
   6.  Initiating the Authorization Request from a Native App  . . .   6
   7.  Receiving the Authorization Response in a Native App  . . . .   7
     7.1.  Private-Use URI Scheme Redirection  . . . . . . . . . . .   8
     7.2.  Claimed "https" Scheme URI Redirection  . . . . . . . . .   9
     7.3.  Loopback Interface Redirection  . . . . . . . . . . . . .   9
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
     8.1.  Protecting the Authorization Code . . . . . . . . . . . .  10
     8.2.  OAuth Implicit Grant Authorization Flow . . . . . . . . .  11
     8.3.  Loopback Redirect Considerations  . . . . . . . . . . . .  11
     8.4.  Registration of Native App Clients  . . . . . . . . . . .  12
     8.5.  Client Authentication . . . . . . . . . . . . . . . . . .  12
     8.6.  Client Impersonation  . . . . . . . . . . . . . . . . . .  13
     8.7.  Fake External User-Agents . . . . . . . . . . . . . . . .  13
     8.8.  Malicious External User-Agents  . . . . . . . . . . . . .  14
     8.9.  Cross-App Request Forgery Protections . . . . . . . . . .  14
     8.10. Authorization Server Mix-Up Mitigation  . . . . . . . . .  14
     8.11. Non-Browser External User-Agents  . . . . . . . . . . . .  15
     8.12. Embedded User-Agents  . . . . . . . . . . . . . . . . . .  15
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  16
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  16
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  16
     10.2.  Informative References . . . . . . . . . . . . . . . . .  17
   Appendix A.  Server Support Checklist . . . . . . . . . . . . . .  18
   Appendix B.  Platform-Specific Implementation Details . . . . . .  18
     B.1.  iOS Implementation Details  . . . . . . . . . . . . . . .  18
     B.2.  Android Implementation Details  . . . . . . . . . . . . .  19
     B.3.  Windows Implementation Details  . . . . . . . . . . . . .  19
     B.4.  macOS Implementation Details  . . . . . . . . . . . . . .  20
     B.5.  Linux Implementation Details  . . . . . . . . . . . . . .  21
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .  21
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  21
Show full document text