Open tbroyer opened 8 years ago
PKCE implemented in 6694638f97c3d94b5b37e052ce8eff225e4b6a2a
WebView detection added in 0131269611790eeae5dcbaecded7077d0056a298 (no blocking yet though)
FWIW, iOS SDK available at https://openid.github.io/AppAuth-iOS/ and Android SDK at https://openid.github.io/AppAuth-Android/
Based on https://tools.ietf.org/html/draft-ietf-oauth-native-apps-00:
visibility:"hidden"
; they cannot register new services (or delete the only existing one)client_secret
. That would be technically easier I guess. Need to investigate what “treat as a public client” actually implies.redirect_uris
(for native apps only); we should enforce uniqueness of the custom URI scheme across all services, and somehow enforce the use of package/bundle names as the custom scheme or at a minimum use of a reverse-domain string (contains at least one dot, and when reversed parses as a domain name and ends with a public suffix, without being a public suffix itself), or maybe change our client_ids to be domain names (and then enforce that the custom scheme is the reversed client_id).http://localhost
(any port) forredirect_uris
(for native apps only); actual port in the authorization request should not be compared with the pre-registeredredirect_uri
.localStorage
) to be able to tell the user when they last signed in on that device (and possibly as which user; we shouldn't use the email address though, only the public name, possibly the profile pic too)