I sent in some notes but I don't have a link for the recording. I don't
believe the recordings were being kept much past the end of the
conference. I'm pretty sure I heard that the recordings would be removed
after N days (I don't remember what N was stated as:)
Joseph explanation is better than I could have given and matches my
understanding as well.
Thanks,
George
On 11/3/20 2:13 PM, Dick Hardt wrote:
Thanks Joseph.
George Fletcher ran a great session on the topic at the last IIW as well.
George: do you have a link?
ᐧ
On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan <jos...@authlete.com> wrote:
Hi Dick
I didn’t attend the call so don’t know the background of this and the
exact situation, but the general problem is mostly where the Authorization
Server’s app is *not* installed. In that case Android falls back to much
weaker mechanisms that allow other apps to get a look in. App links also
aren’t consistently supported across all commonly used android browsers
which causes further problems.
In general to do app2app oauth redirections securely on Android it’s
necessary for both apps to fetch the /.well-known/assetlinks.json for the
url they want to redirect to, and verify that the intent the app intends to
launch to handle the url is signed using the expected certificate. Web2app
flows are trickier, on both iOS and on Android. There were lengthy
discussions on at least the Android case at OAuth Security Workshop this
year (recordings available).
Joseph
On 20 Oct 2020, at 00:09, Dick Hardt <dick.ha...@gmail.com> wrote:
Hey Vittorio
(cc'ing OAuth list as this was brought up in the office hours today)
https://developer.android.com/training/app-links
An app is the default handler and the developer has verified ownership of
the HTTPS URL. While a user can override the app being the default handler
in the system settings -- I don't see how a malicious app can be the
default setting.
What am I missing?
/Dick
ᐧ
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
