In case you needed a reminder about why we care so much about ... • Aaron Parecki

64°F

In case you needed a reminder about why we care so much about OAuth/OIDC flows being used in the system browser and not embedded browsers, Instagram injects their own tracking code in every web page you visit inside Instagram https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser

Austin, Texas, USA • 99°F

Wed, Aug 10, 2022 1:46pm -05:00 #instagram #oauth

53 likes 20 reposts 9 replies
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  Oof yeah. At least they give you a button to pop out to the real browser easier.
  
  Fri, Aug 12, 2022 2:37am +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  The only time you might be able to convince me that it's acceptable is if this account is only for one app and everything is all first party. If there's only ever one app then there's effectively no OAuth and everything (including the AS) is part of the app.
  
  Thu, Aug 11, 2022 10:05pm +00:00 (via brid.gy)
- Dan Moore twitter.com/mooreds
  
  So in your mind, no reason to ever use a webview/embedded browser? Or do I misunderstand?
  
  Thu, Aug 11, 2022 10:02pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Frankly the "system browser is horrible UX" argument lost a long time ago once the OSs provided in-app browsers that share system cookies but aren't visible to the app.
  
  Thu, Aug 11, 2022 9:56pm +00:00 (via brid.gy)
- Dan Moore twitter.com/mooreds
  
  Agreed, as outlined here: datatracker.ietf.org/doc/html/rfc82… However, many folks, esp when first party all the way through, are willing to accept the downsides for better UX (popping out to the system browser being a pretty horrible UX). Hobson's browser is real: infrequently.org/2021/07/hobson…
  
  Thu, Aug 11, 2022 9:55pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  This particular issue isn't really a problem if you control the app and AS, but there are other reasons not to embed the AS page in an in-app web view.
  
  Thu, Aug 11, 2022 9:45pm +00:00 (via brid.gy)
- Dan Moore twitter.com/mooreds
  
  Although if it is a first party oauth integration (where one company controls the mobile app, the APIs, and, through a legal contract the Authorization Server), this injection is less of an issue, right?
  
  Thu, Aug 11, 2022 3:00pm +00:00 (via brid.gy)
- George Fletcher twitter.com/gffletch
  
  And of course Twitter opens the link in an in-app browser:-)
  
  Thu, Aug 11, 2022 9:59am +00:00 (via brid.gy)
- Justin Dah-kenangnon twitter.com/Dahkenangnon
  
  Surely!
  
  Wed, Aug 10, 2022 6:58pm +00:00 (via brid.gy)

Posted in /notes using quill.p3k.io