Thanks George :) That’s a shame, I would have liked to listen to the recording.
My email below was thinking of the OSW interactive sessions (we had about 2 hours of technical discussion on some of the issues with implementing app2app in practice particularly on Android), but now I’ve looked I think perhaps the recordings of those weren’t published. I have been working on a blog post with others that delves more into the Android side of things, hopefully we will publish that in the not too distant future. I did an identiverse session too, which although it starts out quite similar diverges after about 10 minutes, delving less into the detail of security and covering more of the higher level what/why/how: https://identiverse.gallery.video/detail/video/6186099813001/ Joseph > On 3 Nov 2020, at 22:12, George Fletcher <gffle...@aol.com> wrote: > > I sent in some notes but I don't have a link for the recording. I don't > believe the recordings were being kept much past the end of the conference. > I'm pretty sure I heard that the recordings would be removed after N days (I > don't remember what N was stated as:) > > Joseph explanation is better than I could have given and matches my > understanding as well. > > Thanks, > George > > On 11/3/20 2:13 PM, Dick Hardt wrote: >> Thanks Joseph. >> >> George Fletcher ran a great session on the topic at the last IIW as well. >> >> George: do you have a link? >> >> ᐧ >> >> On Tue, Nov 3, 2020 at 11:09 AM Joseph Heenan <jos...@authlete.com> >> <mailto:jos...@authlete.com> wrote: >> >>> Hi Dick >>> >>> I didn’t attend the call so don’t know the background of this and the >>> exact situation, but the general problem is mostly where the Authorization >>> Server’s app is *not* installed. In that case Android falls back to much >>> weaker mechanisms that allow other apps to get a look in. App links also >>> aren’t consistently supported across all commonly used android browsers >>> which causes further problems. >>> >>> In general to do app2app oauth redirections securely on Android it’s >>> necessary for both apps to fetch the /.well-known/assetlinks.json for the >>> url they want to redirect to, and verify that the intent the app intends to >>> launch to handle the url is signed using the expected certificate. Web2app >>> flows are trickier, on both iOS and on Android. There were lengthy >>> discussions on at least the Android case at OAuth Security Workshop this >>> year (recordings available). >>> >>> Joseph >>> >>> >>> On 20 Oct 2020, at 00:09, Dick Hardt <dick.ha...@gmail.com> >>> <mailto:dick.ha...@gmail.com> wrote: >>> >>> Hey Vittorio >>> >>> (cc'ing OAuth list as this was brought up in the office hours today) >>> >>> https://developer.android.com/training/app-links >>> <https://developer.android.com/training/app-links> >>> >>> An app is the default handler and the developer has verified ownership of >>> the HTTPS URL. While a user can override the app being the default handler >>> in the system settings -- I don't see how a malicious app can be the >>> default setting. >>> >>> What am I missing? >>> >>> /Dick >>> ᐧ >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> >
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
