In case you needed a reminder about why we care so much about OAuth/OIDC flows being used in the system browser and not embedded browsers, Instagram injects their own tracking code in every web page you visit inside Instagram krausefx.com/blog/ios-privac…
3
18
1
51
Although if it is a first party oauth integration (where one company controls the mobile app, the APIs, and, through a legal contract the Authorization Server), this injection is less of an issue, right?
1
This particular issue isn't really a problem if you control the app and AS, but there are other reasons not to embed the AS page in an in-app web view.
1
1
Agreed, as outlined here: datatracker.ietf.org/doc/htm…
However, many folks, esp when first party all the way through, are willing to accept the downsides for better UX (popping out to the system browser being a pretty horrible UX).
Hobson's browser is real:
infrequently.org/2021/07/hob…
1
Frankly the "system browser is horrible UX" argument lost a long time ago once the OSs provided in-app browsers that share system cookies but aren't visible to the app.
1
1
The only time you might be able to convince me that it's acceptable is if this account is only for one app and everything is all first party. If there's only ever one app then there's effectively no OAuth and everything (including the AS) is part of the app.
Aug 11, 2022 · 10:05 PM UTC
1