Skip to content
This repository has been archived by the owner on Jun 19, 2023. It is now read-only.

[OAuth2] Improve trust/security when login in embedded web view #942

Open
michaelstingl opened this issue Sep 22, 2017 · 3 comments
Open

Comments

@michaelstingl
Copy link
Contributor

michaelstingl commented Sep 22, 2017

As discussed at the ownCloud Conference 2017, there some best practice recommendations to improve trust and security when user login in the embedded web view.

This is is an article from Carnegy Mellon CERT that describes the motivation:
https://insights.sei.cmu.edu/cert/2016/08/the-risks-of-google-sign-in-on-ios-devices.html

Another article describes possible solutions with a contribution from Google:
https://www.pingidentity.com/en/blog/2016/03/10/using_appauth_to_enable_your_apps_with_mobile_sso.html

There is also a video recording available from the Google Team:
https://youtu.be/DdQTXrk6YTk

You will find very detailed information in a new IETF draft from OAuth Working Group:
https://tools.ietf.org/html/draft-ietf-oauth-native-apps (June 9, 2017)
https://tools.ietf.org/html/rfc8252 (October 2017)

@nasli @pablocarmu Could you check how the ownCloud iOS client could be improved following the linked recommendation?

Related: owncloud/android#2036

00008274

@nasli
Copy link
Contributor

nasli commented Oct 31, 2017

From iOS it could be improved using SFSafariViewController instead UIWebView. Great info on links to review, thanks @michaelstingl

@michaelstingl
Copy link
Contributor Author

I also don’t understand yet what else https://github.com/openid/AppAuth-iOS would help us besides only using SFSafariViewController. Is there more we could use?

@jesmrec
Copy link
Contributor

jesmrec commented Feb 15, 2018

Regarding owncloud/android#2036 (comment)

Necessity to isolate webview cookies from core/oauth2 cookies.

  • Cookies received before webview triggering have to be stored and taken in account (at this point, infrastructures with proxies etc send their cookies)
  • Requests to OAuth2 endpints do not need to be authenticated.
  • Valid session cookies, the ones after session token is granted.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

3 participants