[Openid-specs-ab] WG meeting topic

George Fletcher gffletch at aol.com
Mon Mar 18 22:22:03 UTC 2019 

Interesting. Seems like if the app is doing something malicious with the 
webview flows, they would already be in violation of ToS and hence could 
have their client_id revoked. It doesn't seem like a special clause 
about "spoofing user-agents" would be required. Thanks for the info!

On 3/18/19 5:01 PM, Filip Skokan via Openid-specs-ab wrote:
> Last I heard from Iain and William (~2 years ago) is that there's a 
> blacklist of user-agent strings plus a terms of service agreement that 
> spoofing user-agents is forbidden and could result in the 
> application's permissions being revoked.
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Mon, 18 Mar 2019 at 20:16, Nat Sakimura via Openid-specs-ab 
> <openid-specs-ab at lists.openid.net 
> <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
>     Google apparently is banning a request from WebView so there has
>     to be a way to detect it at least on Android. Or are they just
>     depending on the user agent header string which is totally spoofable?
>
>     2019年3月19日(火) 2:05 George Fletcher via Openid-specs-ab
>     <openid-specs-ab at lists.openid.net
>     <mailto:openid-specs-ab at lists.openid.net>>:
>
>         Hi,
>
>         I'd like to have a discussion around security and
>         authentication flows
>         occurring with the system browser vs a webview. I get the
>         potential
>         security risk but I don't think we have any guidance on how an
>         IdP is
>         supposed to ensure whether requests are coming from the system
>         browser
>         vs a webview.
>
>         Thanks,
>         George
>         _______________________________________________
>         Openid-specs-ab mailing list
>         Openid-specs-ab at lists.openid.net
>         <mailto:Openid-specs-ab at lists.openid.net>
>         http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>     _______________________________________________
>     Openid-specs-ab mailing list
>     Openid-specs-ab at lists.openid.net
>     <mailto:Openid-specs-ab at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190318/e0162248/attachment.html>

More information about the Openid-specs-ab mailing list