Replies: 1 comment 3 replies
-
|
Just an update that I was able to make a Web Account Manager token request today. As part of this, although, i don't think it ended up being necessary I adopted a script in the windows crate samples that registers an Appx package (providing the app a package identity) that can be used when windows developer mode is enabled. |
Beta Was this translation helpful? Give feedback.
-
|
Well, this is (as you are aware) a complicated topic, but what I can venture is that the most appropriate (ergo secure) way to do this is to probably create a tauri plugin that interfaces with the system, and will have to be built and conditionally compiled based on the target triple. You can provide a JS api for easy UI interaction, but I would never advise trying to leverage the webview itself to undertake this kind of stuff. I will spend some time thinking more deeply about your specific bullet points. |
Beta Was this translation helpful? Give feedback.
-
|
I improved the WAM (windows auth broker) wrapper code that I wrote and i've looked into what's available for handling oAuth/OIDC protocol in scenarios where there is no broker available on an OS for a specific identity provider. I'll try and get something pushed to a public repo that I can share.... I also want to see what support other major cloud identity providers have proof of possession. Looks like there is a new spec here: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop. I'll see if I can find out more about where that spec looks to be going. |
Beta Was this translation helpful? Give feedback.
-
|
Amazing! |
Beta Was this translation helpful? Give feedback.
-
I'm a member of the Microsoft Identity platform developer experience team. Microsoft has authentication brokers available on Windows, Linux, Android, iOS and macOS that can be used to authenticate users and request tokens for accessing APIs. I've briefly looked into the windows crate in terms of support for accessing the authentication broker on Windows. It looks like everything is there to use the web account manager on Windows to add accounts and request tokens.
Background: The Microsoft authentication brokers extend the standard protocols (oAuth/OIDC) to include device identity and support for device (OS Profile) wide single sign-on tokens. The device wide single sign on token (per account) is cryptographically bound using TPMs on Windows and other hardware backed key crypto processors on other platforms. Device identity is used by the Microsoft authorization server (Security Token Service) to make decisions regarding token issuance. For example: a device may be considered "unhealthy" by the authorization server / device management system and therefore token issuance is blocked.
In order for a token request to include device identity or to leverage the device wide SSO tokens the token request must be made via an authentication broker.
On Windows the authentication broker is called the web account manager (WAM). On Linux it's under development and will be available via SDK and/or via DBUS. On macOS via custom schemes I believe (but I don't recall at the moment). On Android via SDK/Content Provider/Account Manager. On iOS via custom schemes.
Does the Tauri project have a point of view on how to leverage identity services provided by the operating system or applications installed on the operating system (brokers)?
I personally have 3 things I'm trying to achieve:
Not sure if line of business applications and their developers are really part of Tauri's vision but being interoperable and/or easily interoperable in this world of organizational identity would seem to be helpful.
I'm pretty new to rust, but a relatively fast learner.... so, if anyone has pointers on the above or has the time to provide support/feedback regarding what I do in my app to add support for WAM I'd appreciate it.
Thanks in advance.
shane
Beta Was this translation helpful? Give feedback.
All reactions