Enhancing person security in OAuth flows via new OAuth Customized URI scheme restrictions — Google for Builders Weblog

Spread the love

Hyperlink copied to clipboard

Posted by Vikrant Rana, Product Supervisor

OAuth 2.0 Customized URI schemes are identified to be susceptible to app impersonation assaults. As a part of Google’s steady dedication to person security and discovering methods to make it safer to make use of third-party purposes that entry Google person information, we will probably be proscribing using customized URI scheme strategies. They’ll be disallowed for brand spanking new Chrome extensions and can not be supported for Android apps by default.

To guard customers from malicious actors who would possibly impersonate Chrome extensions and steal their credentials, we not permit new extensions to make use of OAuth customized URI scheme strategies. As an alternative, implement OAuth utilizing Chrome Identification API, a safer solution to ship OAuth 2.0 response to your app.

What do builders must do?

New Chrome extensions will probably be required to make use of the Chrome Identification API methodology for authorization. Whereas current OAuth consumer configurations usually are not affected by this transformation, we strongly encourage you emigrate them to the Chrome Identification API methodology. Sooner or later, we might disallow Customized URI scheme strategies and require all extensions to make use of the Chrome Identification API methodology.

By default, new Android apps will not be allowed to make use of Customized URI schemes to make authorization requests. As an alternative, think about using Google Identification Providers for Android SDK to ship the OAuth 2.0 response on to your app.

What do builders must do?

We strongly advocate switching current apps to make use of the Google Identification Providers for Android SDK. In the event you’re creating a brand new app and the advisable various doesn’t work to your wants, you may allow the Customized URI scheme methodology to your app within the “Superior Settings” part of the consumer configuration web page on the Google API Console.

Customers might even see an “invalid request” error message in the event that they attempt to use an app that’s making unauthorized requests utilizing the Customized URI scheme methodology. They’ll be taught extra about this error by clicking on the “Be taught extra” hyperlink within the error message.

Image of user facing error message

Consumer-facing error instance

Builders will be capable of see further error data when testing person flows for his or her purposes. They’ll get extra details about the error by clicking on the “see error particulars” hyperlink, together with its root trigger and hyperlinks to directions on how you can resolve the error.

Image of developer facing error message

Developer-facing error instance

Associated content material

Leave a Reply

Your email address will not be published. Required fields are marked *