gffletch
commented
1 year ago Key point is that we don't want different user experiences implemented by the different apps. Add this topic in the Security Considerations section.
Closed gffletch closed 1 year ago
gffletch
commented
1 year ago Key point is that we don't want different user experiences implemented by the different apps. Add this topic in the Security Considerations section.
gffletch
commented
1 year ago Also, if there are multiple 1st apps, can use OIDF Native SSO for Mobile Apps to create a better experience for the user
aaronpk
commented
1 year ago already stubbed some out in the draft, needs more expansion
I'd like to discuss why we don't want to recommend supporting the spec for multiple first party apps?
My thinking has been the protocol (whether in or out of scope) allows for a challenge/response method that the AS can control allowing it to support multiple apps at the same time. On the App side, this can be managed via an SDK that is used by all the first party apps.
The AS needs to track which app versions have which capabilities to ensure the correct native experience is supported and if it's not possible to support the native experience then the AS asks the client to fall back to the web redirect experience.