> On Feb 25, 2019, at 4:56 AM, Vittorio Bertocci <[email protected]> wrote: > > The callbacks do avoid the loopback, which is great, but the usability > remains harder than mobile and the embedded case: the auth tab appears among > others, the modal windows remain a possibility, etc - the level of > sophistication of the target audience of the github app can definitely > (hopefully?) navigate those challenges, but for consumer grade apps they can > be blockers. When decision makers are presented with concrete support costs > from customer calls vs possible security issues, it's often hard to make a > case for the latter.
True, but these were all a reality when AppAuth first came about as well - the fall-back was custom URL schemes through the system browser, which meant an application switch, a new tab, a possible modal prompt to get the user back to the application, etc. It is a harder problem on desktop operating systems because it is more challenging to decide if “external user-agent” always means “system browser” or “user default web browser”, and if the latter that means a testing matrix to understand the UX and limitations. Hypothetically, in some enterprises external user-agent might even mean “this security product we bought”. However, we will see more mandatory sandboxing and hard-to-obtain entitlements necessary to talk to the resources we want for authentication. If you are only doing 1P authentication you have a longer runway than a company who wants to leverage third party or enterprise-deployed authentication. And to optimize the UX, those applications may have a period where they decide to include both AppAuth and non-AppAuth flows. -DW _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
