<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I was trying to remember during the mtg this evening about a paper I
read<br>
a couple years ago that talked about browser vs webview
considerations.<br>
I just found it, so here is a link to it for anyone interested<br>
<br>
"OAuth Demystified for Mobile Application Developers"<br>
Eric Chen, et al<br>
<br>
<a class="moz-txt-link-freetext" href="http://mews.sv.cmu.edu/papers/ccs-14.pdf">http://mews.sv.cmu.edu/papers/ccs-14.pdf</a><br>
<br>
Rich<br>
<br>
<div class="moz-cite-prefix">On 3/18/2019 7:30 PM, Tom Jones via
Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAK2Cwb54Wf=mfW4ob+OGB_RMKgxU8XF7nKHg1UQ8jTg2m4BB8w@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">Perhaps not for a phone co. But certainly for a
bank. It must be part of the security consideration.<br>
<br>
<div data-smartmail="gmail_signature">thx ..Tom (mobile)</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Mar 18, 2019, 3:22 PM
George Fletcher via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF"> <font face="Helvetica,
Arial, sans-serif">Interesting. Seems like if the app is
doing something malicious with the webview flows, they
would already be in violation of ToS and hence could have
their client_id revoked. It doesn't seem like a special
clause about "spoofing user-agents" would be required.
Thanks for the info!</font><br>
<br>
<div class="m_4221662759777335055moz-cite-prefix">On 3/18/19
5:01 PM, Filip Skokan via Openid-specs-ab wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Last I heard from Iain and William (~2
years ago) is that there's a blacklist of user-agent
strings plus a terms of service agreement that spoofing
user-agents is forbidden and could result in the
application's permissions being revoked.
<div><br clear="all">
<div>
<div dir="ltr"
class="m_4221662759777335055gmail_signature"
data-smartmail="gmail_signature">S pozdravem,<br>
<b>Filip Skokan</b></div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, 18 Mar 2019 at
20:16, Nat Sakimura via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank" rel="noreferrer"
moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div dir="auto">Google apparently is banning a request
from WebView so there has to be a way to detect it
at least on Android. Or are they just depending on
the user agent header string which is totally
spoofable? </div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">2019年3月19日(火) 2:05
George Fletcher via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
target="_blank" rel="noreferrer"
moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px
0px 0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
I'd like to have a discussion around security and
authentication flows <br>
occurring with the system browser vs a webview. I
get the potential <br>
security risk but I don't think we have any
guidance on how an IdP is <br>
supposed to ensure whether requests are coming
from the system browser <br>
vs a webview.<br>
<br>
Thanks,<br>
George<br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e="
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" rel="noreferrer"
moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e="
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br>
<fieldset
class="m_4221662759777335055mimeAttachmentHeader"></fieldset>
<pre class="m_4221662759777335055moz-quote-pre">_______________________________________________
Openid-specs-ab mailing list
<a class="m_4221662759777335055moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer" moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a>
<a class="m_4221662759777335055moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e=" target="_blank" rel="noreferrer" moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net"
target="_blank" rel="noreferrer" moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br>
<a
href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwMFaQ&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e="
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e=">https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dab&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=nz3Fn66qLx7H4seKWaCIewHybrgY6NYX3PaDZH5uMso&m=Dr800VovftbaXdtWNh7cdiSjjuccGR7gVAlQMAHmVLI&s=liNE7xYnzJjypyNxCiEBYbhp9theeEN12UjGUh9UjP4&e=</a>
</pre>
</blockquote>
<br>
</body>
</html>