Self Issued provider returning tokens to an RP App in iOS
Self Issued provider is returning tokens in the authorization response. If the RP is an App, then whether the right RP App is going to be called back or not is kind of iffy when it is relying on a custom scheme.
We probably should add a note to recommend or even require the use of claimed URI instead of custom scheme.
Comments (6)
-
-
reporter - changed status to open
WG discussed it during the call on June 7 and this seems to be a sensible approach.
-
reporter -
assigned issue to
-
assigned issue to
-
I propose to add the following Security Considerations text:
Custom Schemes on iOS
Note that on iOS, multiple applications may have registered as handlers for a custom scheme, and therefore it is not deterministic that the calling application will receive the Authentication Reply from the Self-Issued OpenID Provider. Use of a claimed URI is an alternative to using a custom scheme.
-
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/597
-
- changed status to resolved
- Log in to comment
Nat will propose possible additional security considerations text.