7

Is there any way that a third-party app can logically use Touch ID to authenticate to a web service that uses OAuth2?

Say I own a web service that requires authentication using OAuth2. It supports both the implicit and authorization-code grants (although I could add support for other grants if necessary).

A third party has a mobile app that uses this web service. It opens a native web view to authenticate, and loads my auth URL in it. The user enters their username/password on my domain, and I return an OAuth token back to the app.

If this app wants to implement Touch ID to speed up authentication, is there a way to do it that makes sense with OAuth2?

My understanding is that the purpose of the OAuth2 implicit and auth-code grants is to prevent the parent app from having access to the user's credentials. It only gets access to the resulting OAuth token, and that's only valid for a limited time.

With Touch ID, you would typically store the password using Keychain Services. So this obviously requires you to have access to the password.

I suppose they could store the OAuth token in the keychain instead of the password, but then this would only be valid for a short time.

JW.
  • 50,691
  • 36
  • 115
  • 143

2 Answers2

1

The only answer I've come up with so far is what you allude to at the end: store the OAuth tokens -- but also a long-lived refresh token. How long that refresh token can live is definitely dependent on your specific security needs.

Mattio
  • 2,014
  • 3
  • 24
  • 37
1

I don't know about any standard flow yet but here are some common considerations. Simply storing long-term credentials (passwords or refresh tokens, even encrypted at rest) would be mixing up security contexts in a way that is hard to audit. When using any local authentication (app-specific unlock PIN, any biometrics, or simply system unlock) it's important to do it in a way that can be verified by the server. So the first step would be device authentication, every instance of your app should use unique client id/client credentials (I suggest to implement Dynamic Client Registration Protocol to help with that but there could be other options). Then, it's a good idea to generate some piece of verifiable key information directly on the device, put it into secure storage (protected by whatever local unlocking mechanism and invalidated whenever biometrics changes or) and use it to generate a MAC of some kind, for example a JWT as a part of jwt-bearer flow (or some new extension to OAuth assertion framework). JWT tokens could include additional metadata (claims) that can provide more context to the server, like it can make informed decisions to force re-authentication in some cases.

To restate:

  1. Device is authorized and issued an unique client credentials pair.
  2. Locally-generated key is saved to the encrypted storage and protected by some local unlock mechanism (system lockscreen, PIN, biometrics, etc.)
  3. The key gets registered with the server and tied to the device.
  4. On unlocking the key is used to generate a JWT that is used as assertion for authenticating with the server.

Seems pretty standard to me, maybe someone should write up a BCP for this after thinking through all the implementation details, current practice, and security considerations.

Community
  • 1
  • 1
Ivan Anishchuk
  • 487
  • 3
  • 16