A strange aspects of this thread is that the current draft already talks about exactly this issue:
draft-ietf-oauth-v2-21 section 9 "Native Applications" "...Native applications can invoke an external user-agent or embed a user-agent within the application ... Embedded user-agents pose a security challenge because resource owners are authenticating in an unidentified window without access to the visual protections found in most external user-agents. Embedded user-agents educate end-user to trust unidentified requests for authentication (making phishing attacks easier to execute)." The webView that Michael Thomas talks about is an "embedded user-agent". -- James Manger ---------- From: oauth-boun...@ietf.org [mailto:oauth-boun...@ietf.org] On Behalf Of Michael Thomas ... At this point, it would be just nice for the industry to know that the issue even *exists*. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
