Thanks Joseph. George Fletcher ran a great session on the topic at the last IIW as well.
George: do you have a link? ᐧ On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan <jos...@authlete.com> wrote: > Hi Dick > > I didn’t attend the call so don’t know the background of this and the > exact situation, but the general problem is mostly where the Authorization > Server’s app is *not* installed. In that case Android falls back to much > weaker mechanisms that allow other apps to get a look in. App links also > aren’t consistently supported across all commonly used android browsers > which causes further problems. > > In general to do app2app oauth redirections securely on Android it’s > necessary for both apps to fetch the /.well-known/assetlinks.json for the > url they want to redirect to, and verify that the intent the app intends to > launch to handle the url is signed using the expected certificate. Web2app > flows are trickier, on both iOS and on Android. There were lengthy > discussions on at least the Android case at OAuth Security Workshop this > year (recordings available). > > Joseph > > > On 20 Oct 2020, at 00:09, Dick Hardt <dick.ha...@gmail.com> wrote: > > Hey Vittorio > > (cc'ing OAuth list as this was brought up in the office hours today) > > https://developer.android.com/training/app-links > > An app is the default handler and the developer has verified ownership of > the HTTPS URL. While a user can override the app being the default handler > in the system settings -- I don't see how a malicious app can be the > default setting. > > What am I missing? > > /Dick > ᐧ > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth