<div dir="auto">Perhaps not for a phone co. But certainly for a bank. It must be part of the security consideration.<br><br><div data-smartmail="gmail_signature">thx ..Tom (mobile)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 18, 2019, 3:22 PM George Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">

  <div text="#000000" bgcolor="#FFFFFF">

    <font face="Helvetica, Arial, sans-serif">Interesting. Seems like if

      the app is doing something malicious with the webview flows, they

      would already be in violation of ToS and hence could have their

      client_id revoked. It doesn't seem like a special clause about

      "spoofing user-agents" would be required. Thanks for the info!</font><br>

    <br>

    <div class="m_4221662759777335055moz-cite-prefix">On 3/18/19 5:01 PM, Filip Skokan via

      Openid-specs-ab wrote:<br>

    </div>

    <blockquote type="cite">

      <div dir="ltr">Last I heard from Iain and William (~2 years ago)

        is that there's a blacklist of user-agent strings plus a terms

        of service agreement that spoofing user-agents is forbidden and

        could result in the application's permissions being revoked.

        <div><br clear="all">

          <div>

            <div dir="ltr" class="m_4221662759777335055gmail_signature" data-smartmail="gmail_signature">S pozdravem,<br>

              <b>Filip Skokan</b></div>

          </div>

          <br>

        </div>

      </div>

      <br>

      <div class="gmail_quote">

        <div dir="ltr" class="gmail_attr">On Mon, 18 Mar 2019 at 20:16,

          Nat Sakimura via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-ab@lists.openid.net</a>>

          wrote:<br>

        </div>

        <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

          <div dir="auto">Google apparently is banning a request from

            WebView so there has to be a way to detect it at least on

            Android. Or are they just depending on the user agent header

            string which is totally spoofable? </div>

          <br>

          <div class="gmail_quote">

            <div dir="ltr" class="gmail_attr">2019年3月19日(火) 2:05 George

              Fletcher via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-ab@lists.openid.net</a>>:<br>

            </div>

            <blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>

              <br>

              I'd like to have a discussion around security and

              authentication flows <br>

              occurring with the system browser vs a webview. I get the

              potential <br>

              security risk but I don't think we have any guidance on

              how an IdP is <br>

              supposed to ensure whether requests are coming from the

              system browser <br>

              vs a webview.<br>

              <br>

              Thanks,<br>

              George<br>

              _______________________________________________<br>

              Openid-specs-ab mailing list<br>

              <a href="mailto:Openid-specs-ab@lists.openid.net" rel="noreferrer noreferrer" target="_blank">Openid-specs-ab@lists.openid.net</a><br>

              <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>

            </blockquote>

          </div>

          _______________________________________________<br>

          Openid-specs-ab mailing list<br>

          <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-ab@lists.openid.net</a><br>

          <a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>

        </blockquote>

      </div>

      <br>

      <fieldset class="m_4221662759777335055mimeAttachmentHeader"></fieldset>

      <pre class="m_4221662759777335055moz-quote-pre">_______________________________________________

Openid-specs-ab mailing list

<a class="m_4221662759777335055moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-ab@lists.openid.net</a>

<a class="m_4221662759777335055moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank" rel="noreferrer">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>

</pre>

    </blockquote>

    <br>

  </div>

_______________________________________________<br>

Openid-specs-ab mailing list<br>

<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-ab@lists.openid.net</a><br>

<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>

</blockquote></div>