@rogue__leader Yeah sorry, 140 chars isn't enough 😭 ... • Aaron Parecki

Patrick Schaller http://F3Development.com • May 4
Sorry, I meant I'm being told the URL can't be visible and they are holding up other mobile apps login as examples that do not show it.

@rogue__leader Yeah sorry, 140 chars isn't enough 😭

Before SFSafariView, the only way to securely do OAuth was to launch the native Safari browser. This meant you'd get bounced out of the app, which a lot of developers didn't want to do to their users. I don't disagree that this was a bad experience, and plenty of people feel the same.

What ended up happening is people instead started embedding the WebView into their apps, in order to avoid having their users bounce out of the app and come back. The compromise in this case is that people would have to type their password to log in, because the embedded WebView doesn't share cookies with the system browser.

It took Apple a long time to roll out SFSafariView, so there are just a lot of apps out there that still have the embedded WebView.

Advantages of WebView:
• Does not make the user leave the app to complete the OAuth flow

Problems with WebView:
• User has no way to verify they are on the real website, so phishing attacks are undetectable
• Does not share system cookies, so users have to type their password every time

Advantages of SFSafariView:
• Does not make the user leave the app to complete the OAuth flow
• The user can see the address bar so can verify they're on the correct website
• Shares system cookies, so the user won't have to type their password if they've already signed in using the native Safari app

I should probably turn this into a proper blog post.

Portland, Oregon

Thu, May 4, 2017 10:47am -07:00 #oauth2

2 replies
Have you written a response to this? Let me know the URL:
- Aaron Parecki aaronparecki.com
  
  The Google Inbox and Voice apps do it! I know I've used a couple more, but can't remember off-hand.
  
  Thu, May 4, 2017 6:17pm +00:00 (via brid-gy.appspot.com)
- Patrick Schaller F3Development.com
  
  WOW, thank you so much! Do you know, offhand, of any mobile apps doing Auth this way?
  
  Thu, May 4, 2017 6:12pm +00:00 (via brid-gy.appspot.com)

Posted in /replies using quill.p3k.io