Torsten, > Another question: how does the server validate the > identity/authenticity of the client? In other words, what > does a malicious app prevent from using the URL and server > of another native app?
Let me rephrase your question (correct me if I'm wrong): can a malicious native app obtain an authcode that the user has granted to a legitimate native app, by using the ancillary server of the legitimate app? The answer is yes, but only if the user installs the malcious app on his/her own machine, in which case there can be no security. The authcode is downloaded to the browser that was used for user authentication, and it is delivered by the browser to an application running on the same machine. (From an earlier message...) > These also means the availabilty of the native app on a > device depends on the availabilty of this backend service. I > don't know whether the average store website has a > reasonable availability. Availability is not a problem these days. We use virtual servers on the Amazon cloud, which are very cheap, and availability is practically 100%. Regards, Francisco
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
