OAuth 2.0 for Native Apps
draft-ietf-oauth-native-apps-12
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2017-10-02
|
12 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2017-09-05
|
12 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2017-08-24
|
12 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2017-08-04
|
12 | (System) | RFC Editor state changed to EDIT |
2017-08-04
|
12 | (System) | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2017-08-04
|
12 | (System) | Announcement was received by RFC Editor |
2017-08-04
|
12 | (System) | IANA Action state changed to No IC from In Progress |
2017-08-04
|
12 | (System) | IANA Action state changed to In Progress |
2017-08-04
|
12 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent::Point Raised - writeup needed |
2017-08-04
|
12 | Amy Vezza | IESG has approved the document |
2017-08-04
|
12 | Amy Vezza | Closed "Approve" ballot |
2017-08-04
|
12 | Amy Vezza | Ballot approval text was generated |
2017-06-09
|
12 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed |
2017-06-09
|
12 | William Denniss | New version available: draft-ietf-oauth-native-apps-12.txt |
2017-06-09
|
12 | (System) | New version approved |
2017-06-09
|
12 | (System) | Request for posting confirmation emailed to previous authors: William Denniss , John Bradley |
2017-06-09
|
12 | William Denniss | Uploaded new revision |
2017-05-26
|
11 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Has Nits. Reviewer: Donald Eastlake. |
2017-05-25
|
11 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation |
2017-05-25
|
11 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2017-05-24
|
11 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2017-05-24
|
11 | Warren Kumari | [Ballot comment] Thanks to Zitao Wang (Michael) for the OpsDir review, and William for addressing the comments... |
2017-05-24
|
11 | Warren Kumari | [Ballot Position Update] New position, No Objection, has been recorded for Warren Kumari |
2017-05-24
|
11 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2017-05-24
|
11 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2017-05-24
|
11 | Alissa Cooper | [Ballot Position Update] New position, No Objection, has been recorded for Alissa Cooper |
2017-05-24
|
11 | Alexey Melnikov | [Ballot comment] A couple of nits: 8.2. OAuth Implicit Grant Authorization Flow The OAuth 2.0 implicit grant authorization flow as defined in Section … [Ballot comment] A couple of nits: 8.2. OAuth Implicit Grant Authorization Flow The OAuth 2.0 implicit grant authorization flow as defined in Section 4.2 of OAuth 2.0 [RFC6749] generally works with the practice of performing the authorization request in the browser, and receiving the authorization response via URI-based inter-app communication. However, as the Implicit Flow cannot be protected by PKCE (which is a required in Section 8.1), the use of the Implicit Flow with native apps is NOT RECOMMENDED. NOT RECOMMENDED is not actually a construct allowed by RFC 2119, I think you should reword it using "SHOULD NOT". It would be good to add RFC reference for HTTPS URIs. |
2017-05-24
|
11 | Alexey Melnikov | [Ballot Position Update] New position, No Objection, has been recorded for Alexey Melnikov |
2017-05-24
|
11 | Benoît Claise | [Ballot Position Update] New position, No Objection, has been recorded for Benoit Claise |
2017-05-23
|
11 | Suresh Krishnan | [Ballot Position Update] New position, No Objection, has been recorded for Suresh Krishnan |
2017-05-23
|
11 | Eric Rescorla | [Ballot comment] Document: draft-ietf-oauth-native-apps-11.txt S 7. To fully support this best practice, authorization servers MUST support the following three redirect URI options. Native … [Ballot comment] Document: draft-ietf-oauth-native-apps-11.txt S 7. To fully support this best practice, authorization servers MUST support the following three redirect URI options. Native apps MAY use whichever redirect option suits their needs best, taking into account platform specific implementation details. It's not entirely clear from this text what "support" means. Would just echoing whatever redirect URI the client provided count as support? S 7.2. App-claimed HTTPS redirect URIs have some advantages in that the identity of the destination app is guaranteed by the operating system. For this reason, they SHOULD be used in preference to the other redirect options for native apps where possible. You should probably be clearer on who this guarantee is provided to. And I assume this SHOULD is directed to app authors? Claimed HTTPS redirect URIs function as normal HTTPS redirects from the perspective of the authorization server, though as stated in Section 8.4, it is REQUIRED that the authorization server is able to distinguish between public native app clients that use app-claimed HTTPS redirect URIs and confidential web clients. S 8.4 doesn't seem clear on how one makes this distinction. Is it just a matter of remembering what the app author told you? S 8.1. As most forms of inter-app URI-based communication send data over insecure local channels, eavesdropping and interception of the authorization response is a risk for native apps. App-claimed HTTPS redirects are hardened against this type of attack due to the presence of the URI authority, but they are still public clients and the URI is still transmitted over local channels with unknown security properties. I'm probably missing something, but I'm not sure what this last sentence means. Is the channel here the one that kicks off the native app with the HTTPS URI as the target? |
2017-05-23
|
11 | Eric Rescorla | [Ballot Position Update] New position, No Objection, has been recorded for Eric Rescorla |
2017-05-23
|
11 | Elwyn Davies | Request for Telechat review by GENART Completed: Almost Ready. Reviewer: Elwyn Davies. Sent review to list. |
2017-05-23
|
11 | Ben Campbell | [Ballot comment] I agree with Adam's general sentiment about detection of bad behavior vs asking people not to be bad. -8 and it's children: There … [Ballot comment] I agree with Adam's general sentiment about detection of bad behavior vs asking people not to be bad. -8 and it's children: There seems to be a lot of duplication (including duplication of normative language) between the security considerations and the rest of the document. - 8.7: This section seems to argue against using in-app browser tabs in the first place. If there is no good way for the user to tell the difference between that and an imbedded UA, then maybe we should train users to be suspicious of any in-app presentation of the authorization request? The last paragraph seems to be founded on a mismatch between user needs and typical user sophistication. |
2017-05-23
|
11 | Ben Campbell | [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell |
2017-05-23
|
11 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2017-05-22
|
11 | Adam Roach | [Ballot comment] General ======= The thesis of this document seems to be that bad actors can access authentication information that gives them broader or more … [Ballot comment] General ======= The thesis of this document seems to be that bad actors can access authentication information that gives them broader or more durable authorization than is intended; and appears to want to mitigate this predominantly with a single normative statement in a BCP telling potential bad actors to stop doing the one thing that enables their shenanigans. For those familiar with the animated series "The Tick," it recalls the titular character yelling "Hey! You in the pumps! I say to you: stop being bad!" -- which, of course, is insufficient to achieve the desired effect. I see that there is nevertheless "strong consensus" to publish the document; in which case, I would encourage somewhat more detail around what the rest of the ecosystem -- and the authentication server in particular -- can do to mitigate the ability of such bad actors. Specifically, section 8.1 has a rather hand-wavy suggestion that authorization endpoints "MAY take steps to detect and block authorization requests in embedded user agents," without offering up how this might be done. The problem is that that the naïve ways of doing this (UA strings?) are going to be easy to circumvent, and the more advanced ones (say, instructing users to log in using a non-OAuth flow if the auth endpoint detects absolutely no cookies associated with its origin) will have interactions that probably warrant discussion in this document. (For example, such an approach -- while potentially effective -- would interact very poorly with the "SSO mode" described in section B.3; although I think that recommending the use of "SSO mode" should be removed for other reasons, described below). ________ Specific comments follow The terminology section makes distinctions about cookie handling and content access in generic definitions (embedded versus external UAs, for example) but doesn't do the same for specific technologies. It is probably worthwhile noting that the "in-app browser tab" prevents apps from accessing cookies and content, while the "web-view" does not (I had to infer these facts from statements much later in the document). Section 7.3 gives examples of IPv4 and IPv6 addresses for loopback. While I'm sympathetic to the deployment challenges inherent in getting entire network paths to upgrade to IPv6, this text discusses loopback exclusively, which means that only the local operating system needs to support IPv6. Since all modern operating systems have supported IPv6 for well over a decade, I suggest that the use of IPv4 addresses for this purpose should be explicitly deprecated, so as to avoid unnecessary transition pain in the future. Minimally, the example needs to be replaced or supplemented with an IPv6 example, as per : "We recommend that existing standards be reviewed to ensure they... use IPv6 examples." Section 8.1 makes the statement that "Loopback IP based redirect URIs may be susceptible to interception by other apps listening on the same loopback interface." That's not how TCP listener sockets work: for any given IP address, they guarantee single-process access to a port at any one time. (Exceptions would include processes with root access, but an attacking process with that level of access is going to be impossible to defend against). While mostly harmless, the statement appears to be false on its face, and should be removed or clarified. Section 8.4 indicates that loopback redirect URIs are allowed to vary from their registered value in port number only. If you decide not to deprecate the use of IPv4 loopback, I imagine that servers should also treat [::1] identical to 127.0.01 for this purpose as well. Section 8.7 claims that users are likely to be suspicious of a sign-in request when they should have already been signed in, and goes on to claim that they will distinguish between completely-logged-out states and logged-in-but-needing-reauth states, and may even take evasive action based on associated suspicion. Based on what I know of user research for security indicators, the chances of these statements being true for any non-trivial portion of any user population is basically zero. I propose that this section simply highlight that this is effectively an intractable problem from the client end, without any illusions that users have the ability to distinguish between the two circumstances, and that authentication servers must be extra vigilant in detecting and avoiding these kinds of attacks. Section 8.11, third paragraph talks about keystroke logging; in practice, the attack here is far easier than that, as I believe that applications that embed a web view can simply extract authentication-related material directly from the DOM. Section B.2 uses the phrase "Android Implicit Intends" where I believe it means "Android Implicit Intents." Section B.3 describes the use of a "Web Authentication Broker" in SSO mode, which provides an isolated authentication context. If the section 8.7 text regarding user detection of nefarious application behavior in the form of web-view embedding is not removed, this needs a very clear treatment of how users might be expected to distinguish between that behavior and the SSO mode behavior. On casual examination, it seems that there would be no way to do so. I'll note that this BCP also promotes the "already logged in" behavior as being a key benefit to OAuth (cf. the third paragraph of Section 4), which the described behavior seems to mostly defeat. I would strongly suggest either removing discussion of using this mode, or deprecating it in favor of the user's preferred web browser, so as to obtain the advantages described in section 4. |
2017-05-22
|
11 | Adam Roach | [Ballot Position Update] New position, No Objection, has been recorded for Adam Roach |
2017-05-22
|
12 | (System) | Request for posting confirmation emailed to previous authors: William Denniss , John Bradley |
2017-05-22
|
12 | William Denniss | Uploaded new revision |
2017-05-22
|
11 | Mirja Kühlewind | [Ballot comment] Quick question just to double-check: should this document update RFC6749? |
2017-05-22
|
11 | Mirja Kühlewind | [Ballot Position Update] New position, No Objection, has been recorded for Mirja Kühlewind |
2017-05-22
|
11 | Kathleen Moriarty | IESG state changed to IESG Evaluation from Waiting for Writeup |
2017-05-22
|
11 | Gunter Van de Velde | Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Zitao Wang. |
2017-05-19
|
11 | Jean Mahoney | Request for Telechat review by GENART is assigned to Elwyn Davies |
2017-05-19
|
11 | Jean Mahoney | Request for Telechat review by GENART is assigned to Elwyn Davies |
2017-05-19
|
11 | (System) | IANA Review state changed to IANA OK - No Actions Needed from Version Changed - Review Needed |
2017-05-19
|
11 | (System) | IANA Review state changed to Version Changed - Review Needed from IANA OK - No Actions Needed |
2017-05-19
|
11 | William Denniss | New version available: draft-ietf-oauth-native-apps-11.txt |
2017-05-19
|
11 | (System) | New version approved |
2017-05-19
|
11 | (System) | Request for posting confirmation emailed to previous authors: William Denniss , John Bradley |
2017-05-19
|
11 | William Denniss | Uploaded new revision |
2017-05-19
|
10 | Kathleen Moriarty | Ballot has been issued |
2017-05-19
|
10 | Kathleen Moriarty | [Ballot Position Update] New position, Yes, has been recorded for Kathleen Moriarty |
2017-05-19
|
10 | Kathleen Moriarty | Created "Approve" ballot |
2017-05-18
|
10 | Kathleen Moriarty | Ballot writeup was changed |
2017-05-16
|
10 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2017-05-15
|
10 | Elwyn Davies | Request for Last Call review by GENART Completed: Almost Ready. Reviewer: Elwyn Davies. Sent review to list. |
2017-05-11
|
10 | (System) | IANA Review state changed to IANA OK - No Actions Needed from IANA - Review Needed |
2017-05-11
|
10 | Sabrina Tanamal | (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has reviewed draft-ietf-oauth-native-apps-10.txt, which is currently in Last Call, and has the following comments: We … (Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs: The IANA Services Operator has reviewed draft-ietf-oauth-native-apps-10.txt, which is currently in Last Call, and has the following comments: We understand that this document doesn't require any registry actions. While it's often helpful for a document's IANA Considerations section to remain in place upon publication even if there are no actions, if the authors strongly prefer to remove it, we do not object. If this assessment is not accurate, please respond as soon as possible. Thank you, Sabrina Tanamal IANA Services Specialist PTI |
2017-05-10
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Elwyn Davies |
2017-05-10
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Elwyn Davies |
2017-05-10
|
10 | Robert Sparks | Assignment of request for Last Call review by GENART to Robert Sparks was rejected |
2017-05-09
|
10 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Zitao Wang |
2017-05-09
|
10 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Zitao Wang |
2017-05-05
|
10 | Kathleen Moriarty | Placed on agenda for telechat - 2017-05-25 |
2017-05-04
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Robert Sparks |
2017-05-04
|
10 | Jean Mahoney | Request for Last Call review by GENART is assigned to Robert Sparks |
2017-05-04
|
10 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Donald Eastlake |
2017-05-04
|
10 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Donald Eastlake |
2017-05-02
|
10 | Cindy Morgan | IANA Review state changed to IANA - Review Needed |
2017-05-02
|
10 | Cindy Morgan | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: draft-ietf-oauth-native-apps@ietf.org, oauth-chairs@ietf.org, Kathleen.Moriarty.ietf@gmail.com, Hannes Tschofenig , Hannes.Tschofenig@gmx.net, … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: draft-ietf-oauth-native-apps@ietf.org, oauth-chairs@ietf.org, Kathleen.Moriarty.ietf@gmail.com, Hannes Tschofenig , Hannes.Tschofenig@gmx.net, oauth@ietf.org Reply-To: ietf@ietf.org Sender: Subject: Last Call: (OAuth 2.0 for Native Apps) to Best Current Practice The IESG has received a request from the Web Authorization Protocol WG (oauth) to consider the following document: - 'OAuth 2.0 for Native Apps' as Best Current Practice The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2017-05-16. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser. This specification details the security and usability reasons why this is the case, and how native apps and authorization servers can implement this best practice. The file can be obtained via https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/ IESG discussion can be tracked via https://datatracker.ietf.org/doc/draft-ietf-oauth-native-apps/ballot/ No IPR declarations have been submitted directly on this I-D. The document contains these normative downward references. See RFC 3967 for additional information: rfc6749: The OAuth 2.0 Authorization Framework (Proposed Standard - IETF stream) |
2017-05-02
|
10 | Cindy Morgan | IESG state changed to In Last Call from Last Call Requested |
2017-05-02
|
10 | Kathleen Moriarty | Last call was requested |
2017-05-02
|
10 | Kathleen Moriarty | Ballot approval text was generated |
2017-05-02
|
10 | Kathleen Moriarty | Ballot writeup was generated |
2017-05-02
|
10 | Kathleen Moriarty | IESG state changed to Last Call Requested from AD Evaluation |
2017-05-02
|
10 | Kathleen Moriarty | Last call announcement was generated |
2017-04-26
|
10 | William Denniss | New version available: draft-ietf-oauth-native-apps-10.txt |
2017-04-26
|
10 | (System) | New version approved |
2017-04-26
|
10 | (System) | Request for posting confirmation emailed to previous authors: William Denniss , John Bradley |
2017-04-26
|
10 | William Denniss | Uploaded new revision |
2017-04-24
|
09 | Kathleen Moriarty | IESG state changed to AD Evaluation from Publication Requested |
2017-04-24
|
09 | Kathleen Moriarty | Shepherding AD changed to Kathleen Moriarty |
2017-03-29
|
09 | Amy Vezza | Shepherding AD changed to Eric Rescorla |
2017-03-07
|
09 | Hannes Tschofenig | Shepherd Write-Up for "OAuth 2.0 for Native Apps" (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? … Shepherd Write-Up for "OAuth 2.0 for Native Apps" (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? This specification is proposed as a 'Best Current Practice' document. The type of RFC is indicated. The document summarizes the experience from industry on how to use OAuth for native applications securely. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser. This specification details the security and usability reasons why this is the case, and how native apps and authorization servers can implement this best practice. Working Group Summary The OAuth 2.0 authorization framework, documents two approaches for native apps to interact with the authorization endpoint: via an embedded user-agent, or an external user-agent. This document recommends external user-agents like in-app browser tabs as the only secure and usable choice for OAuth. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted? There are high-quality libraries available following the recommendations in this document: - Android: http://openid.github.io/AppAuth-Android - iOS: http://openid.github.io/AppAuth-iOS - Windows: https://github.com/googlesamples/oauth-apps-for-windows Google has deprecated support for WebView-based OAuth and now requires the use of the practices defined in the BCP. The pattern is documented at https://developers.google.com/identity/protocols/OAuth2InstalledApp for the Google OAuth server, and is also recommended by Android for Work, see https://developer.android.com/work/guide.html#sso. Ping Identity describes the pattern and has OAuth for Native Apps compliant samples, see https://www.pingidentity.com/en/blog/2016/03/10/using_appauth_to_enable_your_apps_with_mobile_sso.html https://github.com/pingidentity/ios-appauth-sample-application https://github.com/pingidentity/android-appauth-sample-application Okta has published OAuth for Native Apps compliant samples: https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-android https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-swift The AppAuth library implements the BCP 100%, including honoring the "NOT RECOMMENDED" advice. In terms of review the document has received feedback from major OS providers and the available code demonstrates the practical nature of the recommended approach. Personnel Who is the Document Shepherd? Who is the Responsible Area Director? Hannes Tschofenig is the document shepherd and the responsible area director is Kathleen Moriarty. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd was involved in the working group review process and verified the document for correctness. The shepherd has not contributed or worked with the above-mentioned libraries. Hence, he has not verified the text in Appendix B "Operating System Specific Implementation Details". (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? There are no concerns regarding the document reviews. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. It would be great if reviewers with experience in native application development (particularly on mobile OSs) could take a look at this document. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. The document shepherd has no concerns with the document. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. The authors have confirmed full conformance with the provisions of BCP 78 and BCP 79: William: https://www.ietf.org/mail-archive/web/oauth/current/msg16709.html John: https://www.ietf.org/mail-archive/web/oauth/current/msg16677.html (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. No IPR disclosures have been filed for this document. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? There is solid consensus in the working group for publishing this document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) Nobody threatened an appeal or expressed extreme discontent. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. The shepherd checked the document. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No formal review is needed. (13) Have all references within this document been identified as either normative or informative? Yes. The references are split into normative and informative references. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? All normative references are published RFCs. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. There are no downward normative references. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. This document does not change the status of an existing RFC. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). This document does not request any actions by IANA. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. None. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. There is no text in formal languages in the document. |
2017-03-07
|
09 | Hannes Tschofenig | Responsible AD changed to Kathleen Moriarty |
2017-03-07
|
09 | Hannes Tschofenig | IETF WG state changed to Submitted to IESG for Publication from WG Document |
2017-03-07
|
09 | Hannes Tschofenig | IESG state changed to Publication Requested |
2017-03-07
|
09 | Hannes Tschofenig | IESG process started in state Publication Requested |
2017-03-07
|
09 | Hannes Tschofenig | Changed document writeup |
2017-03-07
|
09 | Hannes Tschofenig | Notification list changed to Hannes Tschofenig <Hannes.Tschofenig@gmx.net> |
2017-03-07
|
09 | Hannes Tschofenig | Document shepherd changed to Hannes Tschofenig |
2017-03-06
|
09 | William Denniss | New version available: draft-ietf-oauth-native-apps-09.txt |
2017-03-06
|
09 | (System) | New version approved |
2017-03-06
|
09 | (System) | Request for posting confirmation emailed to previous authors: William Denniss , John Bradley |
2017-03-06
|
09 | William Denniss | Uploaded new revision |
2017-03-02
|
08 | William Denniss | New version available: draft-ietf-oauth-native-apps-08.txt |
2017-03-02
|
08 | (System) | New version approved |
2017-03-02
|
08 | (System) | Request for posting confirmation emailed to previous authors: William Denniss , John Bradley |
2017-03-02
|
08 | William Denniss | Uploaded new revision |
2017-01-17
|
07 | William Denniss | New version available: draft-ietf-oauth-native-apps-07.txt |
2017-01-17
|
07 | (System) | New version approved |
2017-01-17
|
07 | (System) | Request for posting confirmation emailed to previous authors: "William Denniss" , "John Bradley" |
2017-01-17
|
07 | William Denniss | Uploaded new revision |
2016-11-22
|
06 | Hannes Tschofenig | Added to session: IETF-97: oauth Mon-0930 |
2016-11-13
|
06 | William Denniss | New version available: draft-ietf-oauth-native-apps-06.txt |
2016-11-13
|
06 | (System) | New version approved |
2016-11-13
|
06 | (System) | Request for posting confirmation emailed to previous authors: "William Denniss" , "John Bradley" |
2016-11-13
|
06 | William Denniss | Uploaded new revision |
2016-10-21
|
05 | William Denniss | New version available: draft-ietf-oauth-native-apps-05.txt |
2016-10-21
|
05 | (System) | New version approved |
2016-10-21
|
04 | (System) | Request for posting confirmation emailed to previous authors: "William Denniss" , "John Bradley" |
2016-10-21
|
04 | William Denniss | Uploaded new revision |
2016-10-12
|
04 | William Denniss | New version available: draft-ietf-oauth-native-apps-04.txt |
2016-10-12
|
04 | (System) | New version approved |
2016-10-12
|
03 | (System) | Request for posting confirmation emailed to previous authors: "William Denniss" , "John Bradley" |
2016-10-12
|
03 | William Denniss | Uploaded new revision |
2016-07-20
|
03 | William Denniss | New version available: draft-ietf-oauth-native-apps-03.txt |
2016-07-02
|
02 | William Denniss | New version available: draft-ietf-oauth-native-apps-02.txt |
2016-03-20
|
01 | William Denniss | New version available: draft-ietf-oauth-native-apps-01.txt |
2016-02-04
|
00 | Hannes Tschofenig | Changed consensus to Yes from Unknown |
2016-02-04
|
00 | Hannes Tschofenig | Intended Status changed to Best Current Practice from None |
2016-02-04
|
00 | Hannes Tschofenig | This document now replaces draft-wdenniss-oauth-native-apps instead of None |
2016-02-04
|
00 | John Bradley | New version available: draft-ietf-oauth-native-apps-00.txt |