Hi,
I am developing a packaged application but I feel that I'm hitting a wall when
trying to implement an oauth2 consumer.
I looked at how you've implemented the contact import in gaia. The oauth
provider is requested with one of your server as "redirect_uri". At the end of
the authentication process, your server use the postMessage API to hand back
the oauth tokens to the window.opener and restrict the diffusion to
"app://communications.gaiamobile.org".
In the case of packaged app, we can't restrict the diffusion to a specific
application because apps uri seems to be unique for each device. Am I wrong ? I
could add the app uuid alongside the redirect_uri param to use it later in
postMessage but it would still allows anyone to use my API client id in a
malicious webapp.
Having a uri like app://{store_id}, or better, an app domain
(app://developer.com) would solve the problem. I didn't find any reference to
this feature in the roadmap or in bugzilla. Is this planned ? Am I missing
something ?
Beside this oauth problem, having a known uri would be great for a developer to
help him identify requests coming from his app by looking at the referer. It
would also remove the need to have a server in the authentication flow
(provided that the oauth provider allows the app:// scheme in the redirect uri).
Thanks for your help !
Cheers
Arnaud
_______________________________________________
dev-webapps mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-webapps
