Tuesday, October 3, 2023
HomeSoftware DevelopmentEnhancing person security in OAuth flows by way of new OAuth Customized...

Enhancing person security in OAuth flows by way of new OAuth Customized URI scheme restrictions — Google for Builders Weblog


Hyperlink copied to clipboard


Posted by Vikrant Rana, Product Supervisor

OAuth 2.0 Customized URI schemes are recognized to be weak to app impersonation assaults. As a part of Google’s steady dedication to person security and discovering methods to make it safer to make use of third-party functions that entry Google person information, we can be limiting the usage of customized URI scheme strategies. They’ll be disallowed for brand new Chrome extensions and can not be supported for Android apps by default.

To guard customers from malicious actors who would possibly impersonate Chrome extensions and steal their credentials, we not permit new extensions to make use of OAuth customized URI scheme strategies. As a substitute, implement OAuth utilizing Chrome Id API, a safer technique to ship OAuth 2.0 response to your app.

What do builders must do?

New Chrome extensions can be required to make use of the Chrome Id API technique for authorization. Whereas current OAuth consumer configurations usually are not affected by this transformation, we strongly encourage you emigrate them to the Chrome Id API technique. Sooner or later, we could disallow Customized URI scheme strategies and require all extensions to make use of the Chrome Id API technique.

By default, new Android apps will not be allowed to make use of Customized URI schemes to make authorization requests. As a substitute, think about using Google Id Companies for Android SDK to ship the OAuth 2.0 response on to your app.

What do builders must do?

We strongly advocate switching current apps to make use of the Google Id Companies for Android SDK. Should you’re creating a brand new app and the really useful different doesn’t work in your wants, you possibly can allow the Customized URI scheme technique in your app within the “Superior Settings” part of the consumer configuration web page on the Google API Console.

Customers might even see an “invalid request” error message in the event that they attempt to use an app that’s making unauthorized requests utilizing the Customized URI scheme technique. They’ll be taught extra about this error by clicking on the “Be taught extra” hyperlink within the error message.

Image of user facing error message

Person-facing error instance

Builders will be capable of see further error info when testing person flows for his or her functions. They’ll get extra details about the error by clicking on the “see error particulars” hyperlink, together with its root trigger and hyperlinks to directions on the right way to resolve the error.

Image of developer facing error message

Developer-facing error instance

Associated content material




Supply hyperlink

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments