Hi Arnaud,
On 13/03/2013 00:46, "Arnaud Didry" <[email protected]> wrote:
>In the case of packaged app, we can't restrict the diffusion to a
>specific application because apps uri seems to be unique for each device.
>Am I wrong ? I could add the app uuid alongside the redirect_uri param to
>use it later in postMessage but it would still allows anyone to use my
>API client id in a malicious webapp.
>
>Having a uri like app://{store_id}, or better, an app domain
>(app://developer.com) would solve the problem. I didn't find any
>reference to this feature in the roadmap or in bugzilla. Is this planned
>? Am I missing something ?
>
>Beside this oauth problem, having a known uri would be great for a
>developer to help him identify requests coming from his app by looking at
>the referer. It would also remove the need to have a server in the
>authentication flow (provided that the oauth provider allows the app://
>scheme in the redirect uri).
The use of the postMessage trick is cause oauth service providers (like
Gmail, Facebook, etc) don't recognise the protocol 'app://' as a valid
redirection URL. So what we do is open in a new window and we point the
redirection url to a host that we control. That host the only thing it
does is get all the variables passed and send them via postMessage to the
opener window.
The result is having all the variables that the service provider sends in
your packaged app.
There is an example of that service in this open source project:
https://github.com/arcturus/postmessageitor
Cheers!
F.
This electronic message contains information from Telefonica UK, Telefonica
Europe or Telefonica Digital which may be privileged or confidential. The
information is intended to be for the use of the individual(s) or entity named
above. If you are not the intended recipient be aware that any disclosure,
copying distribution or use of the contents of this information is prohibited.
If you have received this electronic message in error, please notify us by
telephone or email.
Switchboard: +44 (0)113 272 2000
Email: [email protected]
Telefonica UK Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered in
England and Wales: 1743099. VAT number: GB 778 6037 85
Telefonica Europe plc 260 Bath Road, Slough, Berkshire SL1 4DX Registered in
England and Wales: 05310128. VAT number: GB 778 6037 85
Telefonica Digital Limited 260 Bath Road, Slough, Berkshire SL1 4DX Registered
in England and Wales: 7884976. VAT number: GB 778 6037 85
_______________________________________________
dev-webapps mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-webapps
