[Openid-specs-ab] WG meeting topic

rich levinson rich.levinson at oracle.com
Mon Mar 18 23:33:56 UTC 2019 

I was trying to remember during the mtg this evening about a paper I read
a couple years ago that talked about browser vs webview considerations.
I just found it, so here is a link to it for anyone interested

"OAuth Demystified for Mobile Application Developers"
Eric Chen, et al

  http://mews.sv.cmu.edu/papers/ccs-14.pdf

   Rich

On 3/18/2019 7:30 PM, Tom Jones via Openid-specs-ab wrote:
> Perhaps not for a phone co. But certainly for a bank. It must be part of the security consideration.
>
> thx ..Tom (mobile)
>
> On Mon, Mar 18, 2019, 3:22 PM George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
>
>     Interesting. Seems like if the app is doing something malicious with the webview flows, they would already be in violation of ToS and hence could have their client_id revoked. It doesn't seem like a special clause about "spoofing user-agents" would be required. Thanks for the info!
>
>     On 3/18/19 5:01 PM, Filip Skokan via Openid-specs-ab wrote:
>>     Last I heard from Iain and William (~2 years ago) is that there's a blacklist of user-agent strings plus a terms of service agreement that spoofing user-agents is forbidden and could result in the application's permissions being revoked.
>>
>>     S pozdravem,
>>     *Filip Skokan*
>>
>>
>>     On Mon, 18 Mar 2019 at 20:16, Nat Sakimura via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>> wrote:
>>
>>         Google apparently is banning a request from WebView so there has to be a way to detect it at least on Android. Or are they just depending on the user agent header string which is totally spoofable?
>>
>>         2019年3月19日(火) 2:05 George Fletcher via Openid-specs-ab <openid-specs-ab at lists.openid.net <mailto:openid-specs-ab at lists.openid.net>>:
>>
>>             Hi,
>>
>>             I'd like to have a discussion around security and authentication flows
>>             occurring with the system browser vs a webview. I get the potential
>>             security risk but I don't think we have any guidance on how an IdP is
>>             supposed to ensure whether requests are coming from the system browser
>>             vs a webview.
>>
>>             Thanks,
>>             George
>>             _______________________________________________
>>             Openid-specs-ab mailing list
>>             Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>>             http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e=>
>>
>>         _______________________________________________
>>         Openid-specs-ab mailing list
>>         Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>>         http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e=>
>>
>>
>>     _______________________________________________
>>     Openid-specs-ab mailing list
>>     Openid-specs-ab at lists.openid.net  <mailto:Openid-specs-ab at lists.openid.net>
>>     http://lists.openid.net/mailman/listinfo/openid-specs-ab  <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e=>
>
>     _______________________________________________
>     Openid-specs-ab mailing list
>     Openid-specs-ab at lists.openid.net <mailto:Openid-specs-ab at lists.openid.net>
>     http://lists.openid.net/mailman/listinfo/openid-specs-ab <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e=>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e=

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20190318/edf1581e/attachment.html>

More information about the Openid-specs-ab mailing list