This particular issue isn't really a problem if you control the ... • Aaron Parecki

Dan Moore https://twitter.com/mooreds • Aug 11
Although if it is a first party oauth integration (where one company controls the mobile app, the APIs, and, through a legal contract the Authorization Server), this injection is less of an issue, right?

This particular issue isn't really a problem if you control the app and AS, but there are other reasons not to embed the AS page in an in-app web view.

Austin, Texas • 99°F

Thu, Aug 11, 2022 4:44pm -05:00

1 like 4 replies
- Dan Moore
Have you written a response to this? Let me know the URL:
- Aaron Parecki twitter.com/aaronpk
  
  The only time you might be able to convince me that it's acceptable is if this account is only for one app and everything is all first party. If there's only ever one app then there's effectively no OAuth and everything (including the AS) is part of the app.
  
  Thu, Aug 11, 2022 10:05pm +00:00 (via brid.gy)
- Dan Moore twitter.com/mooreds
  
  So in your mind, no reason to ever use a webview/embedded browser? Or do I misunderstand?
  
  Thu, Aug 11, 2022 10:02pm +00:00 (via brid.gy)
- Aaron Parecki twitter.com/aaronpk
  
  Frankly the "system browser is horrible UX" argument lost a long time ago once the OSs provided in-app browsers that share system cookies but aren't visible to the app.
  
  Thu, Aug 11, 2022 9:56pm +00:00 (via brid.gy)
- Dan Moore twitter.com/mooreds
  
  Agreed, as outlined here: datatracker.ietf.org/doc/html/rfc82… However, many folks, esp when first party all the way through, are willing to accept the downsides for better UX (popping out to the system browser being a pretty horrible UX). Hobson's browser is real: infrequently.org/2021/07/hobson…
  
  Thu, Aug 11, 2022 9:55pm +00:00 (via brid.gy)

Posted in /replies using indigenous.abode.pub/ios