openid / connect / issues / #360 - Registration 2.1 - What is application_type (native, web) used for? — Bitbucket

Issue #360 resolved

Michael Jones created an issue 2011-11-21

What is the parameter application_type (native, web) used for? Why does this matter and shouldn’t this be specified in terms of the different protocols behaviors and not in terms of some classification system for clients? E.g. do they use implicit or not?

Comments (11)

Edmund Jay
- changed status to on hold
This was requested by Google/FB.
- 2011-11-22T00:59:07+00:00
Nat Sakimura
- changed title to Registration 2.1 - What is application_type (native, web) used for?
- 2012-03-23T00:12:58+00:00
Michael Jones reporter
We need to define for implementers what the intended behaviors and restrictions of these types are.
- 2012-03-23T00:13:24+00:00
Michael Jones reporter
- assigned issue to
  
  John Bradley
- changed status to open
One possible use of this parameter is that the code flow should be used when the client is a native application. That statement should probably be added to the spec.
- 2012-04-19T15:22:08+00:00
Nat Sakimura
- assigned issue to
  
  Breno de Medeiros
- 2012-05-01T00:36:28+00:00
Nat Sakimura
- assigned issue to
  
  gffletch
- 2012-06-07T23:36:49+00:00
gffletch
The behavior implications of 'native' or 'web' are related to issue ~~#539~~. The main reason for knowing whether an application is 'native' or 'web' revolve around whether to provide the application with "offline access". However, the distinction is also useful in addressing "malicious" activity. For example, if a token shows up at an API with an HTTP referrer header and the token is associated with a client_id of a native app, it is a little unusual and worth tracking/investigating.

Proposed text:

application_type OPTIONAL. The defined values are 'native' and 'web' where 'native' is used for those applications that run natively on a device as distinguished from 'web' where the application runs in a web browser (either directly within the browser or as driven by a web server).
- 2012-06-11T20:56:44+00:00
Brian Campbell
+1 that the rational and expected behavior around application_type need to be provided.
- 2012-08-08T14:53:30+00:00
Michael Jones reporter
- assigned issue to
  
  John Bradley
Brian pointed out we need to specify the expected behaviors when these parameters are used.

We may need to differentiate web server and JavaScript client as well.
- 2012-09-20T14:59:24+00:00
John Bradley
https://developers.google.com/console/help/#generatingoauth2

Google defines 3 options:

Web applications Service accounts Installed applications

Web Apps require a redirect URI be registered and can use Implicit, code. Service accounts are Server to server and uses something like the JWT assertion profile with an asymetric key. Installed applications are code flow only and have options for using localhost or returning the code in the title bar.
- 2012-09-20T16:48:52+00:00
John Bradley
- changed status to resolved
Fixes ~~#360~~ Made application_type REQUIRED and added a explanation about redirect_uris registration. Web apps must use https: scheme URI and native must use custom scheme or local host. This prevents the blame client ID from being used for two very different applications.

→ c3df4c2f80ea
- 2012-09-24T13:03:35+00:00
Log in to comment

Assignee: John Bradley

Type: bug

Priority: major

Status: resolved

Component: –

Milestone: –

Version: –

Votes: 0

Watchers: 0

Jira Software: the preferred issue tracker for Bitbucket. Join the team!