RFC 8252 - OAuth 2.0 for Native Apps
Internet Engineering Task Force (IETF)
Request for Comments: 8252
BCP: 212
Updates: 6749
Category: Best Current Practice
ISSN: 2070-1721
Authors:
W. Denniss (Google)
J. Bradley (Ping Identity)
Published: October 2017
Abstract
OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser. This specification details the security and usability reasons why this is the case and how native apps and authorization servers can implement this best practice.
Status of This Memo
This memo documents an Internet Best Current Practice.
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG).
Table of Contents
- 1. Introduction
- 2. Notational Conventions
- 3. Terminology
- 4. Overview
- 4.1. Authorization Flow for Native Apps Using the Browser
- 5. Using Inter-App URI Communication for OAuth
- 6. Initiating the Authorization Request from a Native App
- 7. Receiving the Authorization Response in a Native App
- 7.1. Private-Use URI Scheme Redirection
- 7.2. Claimed "https" Scheme URI Redirection
- 7.3. Loopback Interface Redirection
- 8. Security Considerations
- 8.1. Protecting the Authorization Code
- 8.2. OAuth Implicit Grant Authorization Flow
- 8.3. Loopback Redirect Considerations
- 8.4. Registration of Native App Clients
- 8.5. Client Authentication
- 8.6. Client Impersonation
- 8.7. Fake External User-Agents
- 8.8. Malicious External User-Agents
- 8.9. Cross-App Request Forgery Protections
- 8.10. Authorization Server Mix-Up Mitigation
- 8.11. Non-Browser External User-Agents
- 8.12. Embedded User-Agents
- 9. IANA Considerations
- 10. References
- 10.1. Normative References
- 10.2. Informative References
Appendices
- Appendix A. Server Support Checklist
- Appendix B. Platform-Specific Implementation Details
- B.1. iOS Implementation Details
- B.2. Android Implementation Details
- B.3. Windows Implementation Details
- B.4. macOS Implementation Details
- B.5. Linux Implementation Details
- Acknowledgements
- Authors' Addresses
Related Resources
- Official RFC: RFC 8252
- DataTracker: RFC 8252 DataTracker
- Errata: RFC Editor Errata