Feature Request: Sending the app bundle ID as a header in SFAuthenticationSession
| Originator: | wdenniss | ||
| Number: | rdar://33274187 | Date Originated: | 2017-06-12 |
| Status: | Open | Resolved: | |
| Product: | iOS | Product Version: | |
| Classification: | Reproducible: |
# Summary For OAuth use-cases it can be very valuable in order to mitigate client impersonation to know the identity of the app that initiates the authorization request. Previously this was achievable with Universal Links in SFSafariViewController (as only the real app can claim its domain name), but SFAuthenticationSession has no ability to use Universal Links. If the bundle ID of the app was included as a header in SFAuthenticationSession request, we would have better risk signals during SSO authorization events, and could better protect users. # Steps to Reproduce 1. Open an OAuth request in SFAuthenticationSession # Expected Results The authorization server has no way to verify the calling app. # Observed Results The ability to know the identity of the calling app. # Additional Notes I would like to suggest the inclusion of a new header, named something like `X-Bundle-ID`, with the header value set to the bundle id of the app. This could be sent on every request in the SFAuthenticationSession so that the authorization server can verify the identity of the calling app. Example: `X-Bundle-ID: com.example.app` NB. while it is possible for a WebView to essentially fake the SFAuthenticationSession's header and user-agent string: in that case there's no SSO (as the cookie jar is always empty). By including this header in SFAuthenticationSession, the server can make better risk-analysis of apps using the SSO session.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!