nasli
commented
6 years ago From iOS it could be improved using SFSafariViewController instead UIWebView. Great info on links to review, thanks @michaelstingl
Open michaelstingl opened 6 years ago
nasli
commented
6 years ago From iOS it could be improved using SFSafariViewController instead UIWebView. Great info on links to review, thanks @michaelstingl
michaelstingl
commented
6 years ago I also don’t understand yet what else https://github.com/openid/AppAuth-iOS would help us besides only using SFSafariViewController. Is there more we could use?
jesmrec
commented
6 years ago Regarding https://github.com/owncloud/android/issues/2036#issuecomment-365341121
Necessity to isolate webview cookies from core/oauth2 cookies.
As discussed at the ownCloud Conference 2017, there some best practice recommendations to improve trust and security when user login in the embedded web view.
This is is an article from Carnegy Mellon CERT that describes the motivation: https://insights.sei.cmu.edu/cert/2016/08/the-risks-of-google-sign-in-on-ios-devices.html
Another article describes possible solutions with a contribution from Google: https://www.pingidentity.com/en/blog/2016/03/10/using_appauth_to_enable_your_apps_with_mobile_sso.html
There is also a video recording available from the Google Team: https://youtu.be/DdQTXrk6YTk
You will find very detailed information in a new IETF draft from OAuth Working Group:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps (June 9, 2017)https://tools.ietf.org/html/rfc8252 (October 2017)@nasli @pablocarmu Could you check how the ownCloud iOS client could be improved following the linked recommendation?
Related: https://github.com/owncloud/android/issues/2036
00008274