This repository has been archived by the owner on Jun 19, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 687
[OAuth2] Improve trust/security when login in embedded web view #942
Labels
Comments
From iOS it could be improved using SFSafariViewController instead UIWebView. Great info on links to review, thanks @michaelstingl |
I also don’t understand yet what else https://github.com/openid/AppAuth-iOS would help us besides only using SFSafariViewController. Is there more we could use? |
Regarding owncloud/android#2036 (comment) Necessity to isolate webview cookies from core/oauth2 cookies.
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
As discussed at the ownCloud Conference 2017, there some best practice recommendations to improve trust and security when user login in the embedded web view.
This is is an article from Carnegy Mellon CERT that describes the motivation:
https://insights.sei.cmu.edu/cert/2016/08/the-risks-of-google-sign-in-on-ios-devices.html
Another article describes possible solutions with a contribution from Google:
https://www.pingidentity.com/en/blog/2016/03/10/using_appauth_to_enable_your_apps_with_mobile_sso.html
There is also a video recording available from the Google Team:
https://youtu.be/DdQTXrk6YTk
You will find very detailed information in a new IETF draft from OAuth Working Group:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps (June 9, 2017)https://tools.ietf.org/html/rfc8252 (October 2017)
@nasli @pablocarmu Could you check how the ownCloud iOS client could be improved following the linked recommendation?
Related: owncloud/android#2036
00008274
The text was updated successfully, but these errors were encountered: