In case you needed a reminder about why we care so much about OAuth/OIDC flows being used in the system browser and not embedded browsers, Instagram injects their own tracking code in every web page you visit inside Instagram krausefx.com/blog/ios-privac…
3
18
1
51
Although if it is a first party oauth integration (where one company controls the mobile app, the APIs, and, through a legal contract the Authorization Server), this injection is less of an issue, right?
1
Replying to @mooreds
This particular issue isn't really a problem if you control the app and AS, but there are other reasons not to embed the AS page in an in-app web view.

Aug 11, 2022 · 9:45 PM UTC

1
1
Replying to @aaronpk
Agreed, as outlined here: datatracker.ietf.org/doc/htm… However, many folks, esp when first party all the way through, are willing to accept the downsides for better UX (popping out to the system browser being a pretty horrible UX). Hobson's browser is real: infrequently.org/2021/07/hob…

RFC 8252: OAuth 2.0 for Native Apps

OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser. This specification details the security and usability reasons why...

datatracker.ietf.org
1
Frankly the "system browser is horrible UX" argument lost a long time ago once the OSs provided in-app browsers that share system cookies but aren't visible to the app.
1
1
more replies