Hi, is this sentence in the introduction of RFC 7636<https://datatracker.ietf.org/doc/html/rfc7636> still true? “The Redirection Endpoint URI in this case typically uses a custom URI scheme.”
I think mobile applications should be registered by the developer for their domain. If the developer has control over their backend/webserver they can easily setup up .well-known files for Android and iOS to find that binds the mobile app to that domain. Example by DT/TDG: https://www.telekom.de/.well-known/apple-app-site-association The appId is bound to the paths at that domain. Android also allows an app to bind itself to an URL https://developer.android.com/training/app-links/verify-android-applinks Is the word “typically” still true nine years after rfc7636 was written? I suggest removing the word “typically” in the introduction and adding a security section that recommends registering the mobile app for an URL. 7.6 Registering the mobile app for an URL Major operating systems and app store management systems allow the registration of an URL to a mobile app. With an URL registered to the mobile app an attacker cannot register their malicious app for the same URL as the mobile app. It is RECOMMENDED that the developer of the mobile app binds the app to an URL. Or are these url-binding-to-app mechanisms of Android and iOS too proprietary? I would not mention them by name in an RFC. But the majority of (native) mobile apps can register their URL and I think the RFC should mention this security measure. Also, I am wondering why this mechanism is not mentioned in https://datatracker.ietf.org/doc/draft-parecki-oauth-first-party-apps/ I probably missed discussion on the mailing list. I found some mention of universal link e.g. https://mailarchive.ietf.org/arch/msg/oauth/cN0uYaEd5uOLEprCwc-0wJjKJfs/ in 2020 but these discussion did not lead to anything in RFCs or drafts. Why? I think that if developers can register an URL to their native mobile app then they should do that. Kind regards Axel
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
