Here’s the OSW recording on app2app. https://www.youtube.com/watch?v=vktyY5CXwjg
From: OAuth <oauth-boun...@ietf.org> Date: Tuesday, November 3, 2020 at 14:14 To: Joseph Heenan <jos...@authlete.com>, George Fletcher <gffle...@aol.com> Cc: oauth <oauth@ietf.org> Subject: Re: [OAUTH-WG] Android App Links (AKA Universal Links) Thanks Joseph. George Fletcher ran a great session on the topic at the last IIW as well. George: do you have a link? [https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=26f11e54-06bb-45f0-ba83-5ff627ed5579]ᐧ On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan <jos...@authlete.com<mailto:jos...@authlete.com>> wrote: Hi Dick I didn’t attend the call so don’t know the background of this and the exact situation, but the general problem is mostly where the Authorization Server’s app is *not* installed. In that case Android falls back to much weaker mechanisms that allow other apps to get a look in. App links also aren’t consistently supported across all commonly used android browsers which causes further problems. In general to do app2app oauth redirections securely on Android it’s necessary for both apps to fetch the /.well-known/assetlinks.json for the url they want to redirect to, and verify that the intent the app intends to launch to handle the url is signed using the expected certificate. Web2app flows are trickier, on both iOS and on Android. There were lengthy discussions on at least the Android case at OAuth Security Workshop this year (recordings available). Joseph On 20 Oct 2020, at 00:09, Dick Hardt <dick.ha...@gmail.com<mailto:dick.ha...@gmail.com>> wrote: Hey Vittorio (cc'ing OAuth list as this was brought up in the office hours today) https://developer.android.com/training/app-links<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdeveloper.android.com%2Ftraining%2Fapp-links&data=04%7C01%7Ctim.cappalli%40microsoft.com%7Cd2d6114cfb3e4a723ce308d8802ca8fe%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400276604670109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=VANYGXEB4M5i%2F9nDW%2Bzhg69QSJXd5RA%2BwzJneO1Az8o%3D&reserved=0> An app is the default handler and the developer has verified ownership of the HTTPS URL. While a user can override the app being the default handler in the system settings -- I don't see how a malicious app can be the default setting. What am I missing? /Dick [https://mailfoogae.appspot.com/t?sender=aZGljay5oYXJkdEBnbWFpbC5jb20%3D&type=zerocontent&guid=753a4eae-4c54-40f0-a603-09ea6cdfe434]ᐧ _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Ctim.cappalli%40microsoft.com%7Cd2d6114cfb3e4a723ce308d8802ca8fe%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637400276604670109%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0YxdQMCgnLMULQQayUjGwhCGd2fqP4y9cFSCK1jY9xk%3D&reserved=0>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
