[Openid-specs-ab] WG meeting topic
Nat Sakimura
sakimura at gmail.com
Mon Mar 18 19:16:35 UTC 2019
Google apparently is banning a request from WebView so there has to be a
way to detect it at least on Android. Or are they just depending on the
user agent header string which is totally spoofable?
2019年3月19日(火) 2:05 George Fletcher via Openid-specs-ab <
openid-specs-ab at lists.openid.net>:
> Hi,
>
> I'd like to have a discussion around security and authentication flows
> occurring with the system browser vs a webview. I get the potential
> security risk but I don't think we have any guidance on how an IdP is
> supposed to ensure whether requests are coming from the system browser
> vs a webview.
>
> Thanks,
> George
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190319/6caec710/attachment.html>
More information about the Openid-specs-ab
mailing list