[SSO] Retrieve name (and logo) from jwt and redirect manifest

[friedger]

Currently, the user is not well informed who she will give the app token to when authorizing another web site

The following link looks like a OI Timesheet auth, but in reality it isn't:

https://app.graphitedocs.com/oauth/verify?OITimesheet?https://blockusign.co/#/graphite/?token=047f3f33065e27b47c2ae159a380d79caaef8ff5c4fbceeb05cc94e5f1113fb8a61aa726f35d82922f6067325d51e4288396325782fa2832f5f15ea1edf95b96be=?

It would be better to retrieve the name from the token and the redirect manifest.

It would be nice to coin the name didAuth (https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-spring2018/blob/master/final-documents/did-auth.md) and move away from oAuth.

[polluterofminds]

I love both of your points! I'm planning on finally adding POST functions to the package and when I do, I'll fetch the logo and name from the app manifest if it exists. The problem I could see is this package could be used by apps that don't properly configure a manifest file. Blockstack sort of forces that, but I imagine there are plenty of apps out there that don't configure a well-formed manifest.

[friedger]

These apps don't qualify as apps :-P

Maybe one could scrape the index.html and have a best guess...

[polluterofminds]

Scraping the index.html file makes sense. Could probably at very least grab the favicon (even if it's ugly...).

As an example of one of those bad apps, here's Twitter's non-existent manifest:

[friedger]

Twitter has a great pwa, see Mobile.twitter.com/manifest.json

On Tue, 4 Dec 2018, 15:29 Justin Hunter <notifications@github.com wrote:

Scraping the index.html file makes sense. Could probably at very least grab the favicon (even if it's ugly...).

As an example of one of those bad apps, here's Twitter's non-existent manifest:

[image: screen shot 2018-12-04 at 8 27 48 am] https://user-images.githubusercontent.com/10519834/49448528-b518e080-f79e-11e8-8687-cde5bc95a6e1.png

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Graphite-Docs/graphite/issues/129#issuecomment-444118837, or mute the thread https://github.com/notifications/unsubscribe-auth/ABYcWVJcchWhpSYzfshUAReSC86tjP-Tks5u1obJgaJpZM4ZAIiY .

[ntheile]

yeah this is a good topic to look in depth to potential OWASP threats on front-end applications https://www.qualitance.com/blog/how-to-master-front-end-security/ . I like how this article talks of the "confused deputy"

[polluterofminds]

The client-side-only API is now deprecated after many iterations of Graphite. An enterprise API will be released and I may revisit a client-side only API in the future.