Open ThisIsMissEm opened 3 months ago
aaronpk
commented
3 months ago Is there anything unique about this draft in regards to mobile apps? The custom scheme redirect URI issue applies to all OAuth clients, whether or not they provide their own metadata.
ThisIsMissEm
commented
3 months ago Yeah, I suspect there is just the same security considerations as with any custom scheme redirect URI + mobile apps, but it may not be a bad idea to reinforce that for mobile applications, you definitely want to use PKCE if using this I-D?
Or maybe we just cross link to the OAuth 2.0 Security Best Current Practice document as the first section in Security Considerations, highlighting a few of the possible attack vectors to be aware of?
ThisIsMissEm
commented
3 months ago So like in the opening to 6. Security Considerations explicitly listing some of the considerations to pay attention to.
With mobile applications, unless you use application claimed https URLs and the system authentication mechanisms (I believe Apple and Google have a "sign in with" dialog for this now, instead of using an in-app webview), then there is potential for the
redirect_uristo be hijacked by another application (e.g., if using amyapp://redirect URI scheme.I'm not sure what can be done to further mitigate this, besides DPoP and PKCE which mitigate redirect hijacking attempts.