[OAuth2] Improve trust/security when login in embedded web view

[michaelstingl]

As discussed at the ownCloud Conference 2017, there some best practice recommendations to improve trust and security when user login in the embedded web view.

This is is an article from Carnegy Mellon CERT that describes the motivation: https://insights.sei.cmu.edu/cert/2016/08/the-risks-of-google-sign-in-on-ios-devices.html

Another article describes possible solutions with a contribution from Google: https://www.pingidentity.com/en/blog/2016/03/10/using_appauth_to_enable_your_apps_with_mobile_sso.html

There is also a video recording available from the Google Team: https://youtu.be/DdQTXrk6YTk

You will find very detailed information in a new IETF draft from OAuth Working Group: ~~https://tools.ietf.org/html/draft-ietf-oauth-native-apps (June 9, 2017)~~ https://tools.ietf.org/html/rfc8252 (October 2017)

@nasli @pablocarmu Could you check how the ownCloud iOS client could be improved following the linked recommendation?

Related: https://github.com/owncloud/android/issues/2036

00008274

[nasli]

From iOS it could be improved using SFSafariViewController instead UIWebView. Great info on links to review, thanks @michaelstingl

[michaelstingl]

I also don’t understand yet what else https://github.com/openid/AppAuth-iOS would help us besides only using SFSafariViewController. Is there more we could use?

[jesmrec]

Regarding https://github.com/owncloud/android/issues/2036#issuecomment-365341121

Necessity to isolate webview cookies from core/oauth2 cookies.

• Cookies received before webview triggering have to be stored and taken in account (at this point, infrastructures with proxies etc send their cookies)
• Requests to OAuth2 endpints do not need to be authenticated.
• Valid session cookies, the ones after session token is granted.