[Openid-specs-ab] WG meeting topic
Filip Skokan
panva.ip at gmail.com
Mon Mar 18 21:01:01 UTC 2019
Last I heard from Iain and William (~2 years ago) is that there's a
blacklist of user-agent strings plus a terms of service agreement that
spoofing user-agents is forbidden and could result in the application's
permissions being revoked.
S pozdravem,
*Filip Skokan*
On Mon, 18 Mar 2019 at 20:16, Nat Sakimura via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:
> Google apparently is banning a request from WebView so there has to be a
> way to detect it at least on Android. Or are they just depending on the
> user agent header string which is totally spoofable?
>
> 2019年3月19日(火) 2:05 George Fletcher via Openid-specs-ab <
> openid-specs-ab at lists.openid.net>:
>
>> Hi,
>>
>> I'd like to have a discussion around security and authentication flows
>> occurring with the system browser vs a webview. I get the potential
>> security risk but I don't think we have any guidance on how an IdP is
>> supposed to ensure whether requests are coming from the system browser
>> vs a webview.
>>
>> Thanks,
>> George
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190318/b59b3937/attachment.html>
More information about the Openid-specs-ab
mailing list