.png "Enhancing person security in OAuth flows by way of new OAuth Customized URI scheme restrictions — Google for Builders Weblog")
[ad_1]
Hyperlink copied to clipboard
Posted by Vikrant Rana, Product Supervisor
OAuth 2.0 Customized URI schemes are recognized to be weak to app impersonation assaults. As a part of Google’s steady dedication to person security and discovering methods to make it safer to make use of third-party functions that entry Google person information, we might be proscribing the usage of customized URI scheme strategies. They’ll be disallowed for brand new Chrome extensions and can now not be supported for Android apps by default.
To guard customers from malicious actors who would possibly impersonate Chrome extensions and steal their credentials, we now not permit new extensions to make use of OAuth customized URI scheme strategies. As an alternative, implement OAuth utilizing Chrome Id API, a safer option to ship OAuth 2.0 response to your app.
What do builders have to do?
New Chrome extensions might be required to make use of the Chrome Id API technique for authorization. Whereas current OAuth consumer configurations usually are not affected by this transformation, we strongly encourage you emigrate them to the Chrome Id API technique. Sooner or later, we might disallow Customized URI scheme strategies and require all extensions to make use of the Chrome Id API technique.
By default, new Android apps will now not be allowed to make use of Customized URI schemes to make authorization requests. As an alternative, think about using Google Id Companies for Android SDK to ship the OAuth 2.0 response on to your app.
What do builders have to do?
We strongly suggest switching current apps to make use of the Google Id Companies for Android SDK. For those who’re creating a brand new app and the really useful various doesn’t work in your wants, you possibly can allow the Customized URI scheme technique in your app within the “Superior Settings” part of the consumer configuration web page on the Google API Console.
Customers may even see an “invalid request” error message in the event that they attempt to use an app that’s making unauthorized requests utilizing the Customized URI scheme technique. They’ll be taught extra about this error by clicking on the “Be taught extra” hyperlink within the error message.
Builders will have the ability to see further error data when testing person flows for his or her functions. They’ll get extra details about the error by clicking on the “see error particulars” hyperlink, together with its root trigger and hyperlinks to directions on learn how to resolve the error.
Associated content material
[ad_2]