Unfortunately, in the mobile app world this isn't sufficient. On iOS
using Universal Links will bind the https redirect_url to your app in a
secure way but it doesn't work the same way on Android with App Links.
There is still a problem with "mobile app impersonation". If you have an
app that you want to ensure is "your" app then the most secure way is to
look at "app attestation". This is however, way off topic for this thread :)
On 2/14/21 9:28 AM, Neil Madden wrote:
Public clients are implicitly authenticated by their ownership of the
registered redirect_uri. This why it’s important to use a redirect_uri for
which ownership can be reasonably established, such as HTTPS endpoints with
exact URI matching.
There are more things that can go wrong with that (see the security BCP), but
it can be made reasonably secure.
— Neil
On 14 Feb 2021, at 13:48, Stoycho Sleptsov <stoycho.slept...@gmail.com> wrote:
I would like to add my reasons about the "Why are developers creating BFF for their
frontends to communicate with an AS",
with the objective to verify if they are valid.
I need the client app. to be authenticated at the AS (to determine if it is a
first-party app., for example).
If we decide to implement our client as a frontend SPA , then we have no other
option except through a BFF, as PKCE does not help for authentication.
Or is it considered a bad practice to do that?
Regards,
Stoycho.
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
