openid / connect / issues / #1026 - Self Issued provider returning tokens to an RP App in iOS — Bitbucket

Issue #1026 resolved

Nat Sakimura created an issue 2018-05-11

Self Issued provider is returning tokens in the authorization response. If the RP is an App, then whether the right RP App is going to be called back or not is kind of iffy when it is relying on a custom scheme.

We probably should add a note to recommend or even require the use of claimed URI instead of custom scheme.

Comments (6)

Michael Jones
Nat will propose possible additional security considerations text.
- 2018-06-07T14:30:30+00:00
Nat Sakimura reporter
- changed status to open
WG discussed it during the call on June 7 and this seems to be a sensible approach.
- 2018-06-07T14:31:27+00:00
Nat Sakimura reporter
- assigned issue to
  
  Nat Sakimura
- 2018-06-07T14:31:43+00:00
Michael Jones
I propose to add the following Security Considerations text:

Custom Schemes on iOS

Note that on iOS, multiple applications may have registered as handlers for a custom scheme, and therefore it is not deterministic that the calling application will receive the Authentication Reply from the Self-Issued OpenID Provider. Use of a claimed URI is an alternative to using a custom scheme.

‌
- 2022-11-08T18:13:48+00:00
Michael Jones
Will be fixed by https://bitbucket.org/openid/connect/pull-requests/597
- 2023-08-06T21:17:44+00:00
Michael Jones
- changed status to resolved
https://bitbucket.org/openid/connect/pull-requests/597 merged
- 2023-08-13T20:11:14+00:00
Log in to comment

Assignee: Nat Sakimura

Type: bug

Priority: major

Status: resolved

Component: Core

Milestone: Errata

Version: –

Votes: 0

Watchers: 0

Jira: the preferred issue tracker for Bitbucket. Join the team!