Closed PieterKas closed 10 months ago
gffletch
commented
11 months ago Yes, I agree. There are couple of ways the server can determine trust in the mobile app. We shouldn't be prescriptive but maybe putting some options in the security considerations would help make it more clear how to do this. Maybe there is best practice guidance that could be put in a doc like for single-page-apps.
PieterKas
commented
11 months ago @gffletch to update First-Party Applications section
aaronpk
commented
11 months ago aaronpk
commented
11 months ago Add new normative requirement for authorization server to verify that the application is a first party application.
There was some discussion at OSW about enforcing client auth first, before invoking the native flow to further build trust. It may be a good idea to add additional information, perhaps in the security considerations, about ways in which the server can have confidence that the first party app is a "real" first party app.