Lädt...


🔧 Improving user safety in OAuth flows through new OAuth Custom URI scheme restrictions


Nachrichtenbereich: 🔧 Programmierung
🔗 Quelle: developers.googleblog.com

Posted by Vikrant Rana, Product Manager

OAuth 2.0 Custom URI schemes are known to be vulnerable to app impersonation attacks. As part of Google’s continuous commitment to user safety and finding ways to make it safer to use third-party applications that access Google user data, we will be restricting the use of custom URI scheme methods. They’ll be disallowed for new Chrome extensions and will no longer be supported for Android apps by default.

Disallowing Custom URI scheme redirect method for new Chrome Extensions

To protect users from malicious actors who might impersonate Chrome extensions and steal their credentials, we no longer allow new extensions to use OAuth custom URI scheme methods. Instead, implement OAuth using Chrome Identity API, a more secure way to deliver OAuth 2.0 response to your app.

What do developers need to do?

New Chrome extensions will be required to use the Chrome Identity API method for authorization. While existing OAuth client configurations are not affected by this change, we strongly encourage you to migrate them to the Chrome Identity API method. In the future, we may disallow Custom URI scheme methods and require all extensions to use the Chrome Identity API method.

Disabling Custom URI scheme redirect method for Android clients by default

By default, new Android apps will no longer be allowed to use Custom URI schemes to make authorization requests. Instead, consider using Google Identity Services for Android SDK to deliver the OAuth 2.0 response directly to your app.

What do developers need to do?

We strongly recommend switching existing apps to use the Google Identity Services for Android SDK. If you're creating a new app and the recommended alternative doesn’t work for your needs, you can enable the Custom URI scheme method for your app in the “Advanced Settings” section of the client configuration page on the Google API Console.

User-facing error message

Users may see an “invalid request” error message if they try to use an app that is making unauthorized requests using the Custom URI scheme method. They can learn more about this error by clicking on the "Learn more" link in the error message.

Image of user facing error message
User-facing error example

Developer-facing error message

Developers will be able to see additional error information when testing user flows for their applications. They can get more information about the error by clicking on the “see error details” link, including its root cause and links to instructions on how to resolve the error.

Image of developer facing error message
Developer-facing error example

Related content

...

🔧 Improving user safety in OAuth flows through new OAuth Custom URI scheme restrictions


📈 132.96 Punkte
🔧 Programmierung

🎥 Defending Against New Phishing Attacks that Abuse OAuth Authorization Flows - Jenko Wong


📈 33.68 Punkte
🎥 IT Security Video

🔧 Explore Salesforce OAuth Authorization Flows and Its Use Cases


📈 30.79 Punkte
🔧 Programmierung

🕵️ CVE-2021-43309 | uri-template-lite on NPM URI.expand redos


📈 29.82 Punkte
🕵️ Sicherheitslücken

🕵️ uri-js on Node.js RFC 3986 require("uri-js").parse() denial of service


📈 29.82 Punkte
🕵️ Sicherheitslücken

🕵️ SpamAssassin up to 3.1.7 URI Long URI denial of service


📈 29.82 Punkte
🕵️ Sicherheitslücken

🕵️ uri-js auf Node.js RFC 3986 require("uri-js").parse() Denial of Service


📈 29.82 Punkte
🕵️ Sicherheitslücken

⚠️ Microsoft OneDrive iOS App 8.13 Insecure URI Scheme Handling


📈 27.77 Punkte
⚠️ PoC

🕵️ CVE-2007-3576 | Microsoft Internet Explorer 6 URI Scheme cross site scripting (OSVDB-45813)


📈 27.77 Punkte
🕵️ Sicherheitslücken

🕵️ CVE-2019-18676 | Squid Web Proxy up to 3.x/4.8 URI Scheme input validation (USN-4213-1)


📈 27.77 Punkte
🕵️ Sicherheitslücken

🕵️ MoboTap Dolphin Browser up to 12.0.2 on Android Intent URI Scheme information disclosure


📈 27.77 Punkte
🕵️ Sicherheitslücken

🕵️ MoboTap Dolphin Browser bis 12.0.2 auf Android Intent URI Scheme unbekannte Schwachstelle


📈 27.77 Punkte
🕵️ Sicherheitslücken

📰 Improving Stability with Private C/C++ Symbol Restrictions in Android N


📈 27.42 Punkte
🤖 Android Tipps

📰 Improving Stability with Private C/C++ Symbol Restrictions in Android N


📈 27.42 Punkte
🤖 Android Tipps

📰 Build custom code libraries for your Amazon SageMaker Data Wrangler Flows using AWS Code Commit


📈 27.38 Punkte
🔧 AI Nachrichten

🕵️ CVE-2020-26877 | ApiFest OAuth 2.0 Server 0.3.1 URI redirect_uri


📈 26.74 Punkte
🕵️ Sicherheitslücken

🕵️ Polymail, Inc.: Bug in OAuth Success Redirect URI Validation


📈 26.74 Punkte
🕵️ Sicherheitslücken

📰 WhatsApp, Signal Claim Online Safety Bill Threatens User Privacy and Safety


📈 25.84 Punkte
📰 IT Security Nachrichten

🔧 RC4-EX File Encryption Scheme: Introduction and Application of an Efficient File Encryption Scheme


📈 25.71 Punkte
🔧 Programmierung

🕵️ Google Chrome 29.0.1547.76 Scheme Malformed Scheme use after free


📈 25.71 Punkte
🕵️ Sicherheitslücken

🪟 Everything parents need to know about Xbox One: Accounts, safety, restrictions and more


📈 25.09 Punkte
🪟 Windows Tipps

🔧 Customize and automate user flows beyond Chrome DevTools Recorder


📈 24.66 Punkte
🔧 Programmierung

🎥 How to edit and extend user flows with Recorder and Puppeteer Replay | DevTools Tips


📈 24.66 Punkte
🎥 Video | Youtube

🔧 OAuth 2.0 Explained: The Complete Guide to Understanding OAuth


📈 23.67 Punkte
🔧 Programmierung

🕵️ Openshift OAuth Server /oauth/token/request Request cross site scripting


📈 23.67 Punkte
🕵️ Sicherheitslücken

🐧 [$] Bringing encryption restrictions in through the back door


📈 23.08 Punkte
🐧 Linux Tipps

📰 Australia's radiation safety agency debunks 5G concerns in new safety standard


📈 23.03 Punkte
📰 IT Nachrichten

matomo