[Openid-specs-ab] WG meeting topic

Tom Jones thomasclinganjones at gmail.com
Mon Mar 18 23:30:10 UTC 2019 

Perhaps not for a phone co. But certainly for a bank. It must be part of
the security consideration.

thx ..Tom (mobile)

On Mon, Mar 18, 2019, 3:22 PM George Fletcher via Openid-specs-ab <
openid-specs-ab at lists.openid.net> wrote:

> Interesting. Seems like if the app is doing something malicious with the
> webview flows, they would already be in violation of ToS and hence could
> have their client_id revoked. It doesn't seem like a special clause about
> "spoofing user-agents" would be required. Thanks for the info!
>
> On 3/18/19 5:01 PM, Filip Skokan via Openid-specs-ab wrote:
>
> Last I heard from Iain and William (~2 years ago) is that there's a
> blacklist of user-agent strings plus a terms of service agreement that
> spoofing user-agents is forbidden and could result in the application's
> permissions being revoked.
>
> S pozdravem,
> *Filip Skokan*
>
>
> On Mon, 18 Mar 2019 at 20:16, Nat Sakimura via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
>> Google apparently is banning a request from WebView so there has to be a
>> way to detect it at least on Android. Or are they just depending on the
>> user agent header string which is totally spoofable?
>>
>> 2019年3月19日(火) 2:05 George Fletcher via Openid-specs-ab <
>> openid-specs-ab at lists.openid.net>:
>>
>>> Hi,
>>>
>>> I'd like to have a discussion around security and authentication flows
>>> occurring with the system browser vs a webview. I get the potential
>>> security risk but I don't think we have any guidance on how an IdP is
>>> supposed to ensure whether requests are coming from the system browser
>>> vs a webview.
>>>
>>> Thanks,
>>> George
>>> _______________________________________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.net
>>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>>
>> _______________________________________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.net
>> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>>
>
> _______________________________________________
> Openid-specs-ab mailing listOpenid-specs-ab at lists.openid.nethttp://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190318/6d7162e5/attachment.html>

More information about the Openid-specs-ab mailing list