search

oauth-wg / oauth-cross-device-security

Other
10 stars 8 forks source link

Do we want to mention the WICG browser api? #148

Open danielfett opened 4 weeks ago

PieterKas commented 5 days ago

@danielfett can you add a bit more context on this API and why it should be included/referenced?

jogu commented 2 days ago

I can't remember when Daniel's back from holiday but as he opened this issue after a conversation we had perhaps I can usefully answer.

It's the API here:

https://wicg.github.io/digital-credentials/

The reason to mention it would be that it solves the cross device security problem for OpenID for Verifiable Presentations, as it uses very similar mechanisms to the cross device passkey presentation by adding bluetooth proximity into the mix. Potentially it even means that if you're having trouble deciding between different possible ways of doing things the availability of the API might push you towards using OID4VP to get cross device security.

The main downside is that it's still under development so isn't technically stable nor widely available yet, but Apple & Google have demoed it working cross device between different OSes.

PieterKas commented 2 days ago

@jogu there is a section on protocol recommendations, as well as on proximity. What we might do is add a reference to this as an example of a protocol that establishes proximity via Bluetooth in one or more sections. Do you think that would be sufficient to address the issue?

jogu commented 2 days ago

Yes, I think so. I had a read of the latest draft with this in mind, I think it might be worthy of mentions:

  1. in Section 5 when introducing verifiable presentations standard that as well as the standard QR based flow there is a secure cross device flow using the browser API.
  2. in 6.1.1 around "BLE presents another alternative for establishing proximity, but may present user experience challenges when setting up" tacking on something like "unless mediated by the OS" or something like that as although the browser API cross based flow does use BLE it doesn't require the user to navigate the traditional device pairing flow that I think is being referred to here (to oversimplify, it combines QR codes with BLE and CTAP in a very similar to webauthn as is already described in section 6.2.3.1).
  3. In 6.2, a new subsection for OID4VP over browser API might be warranted.