SFAuthenticationSession and HTTP(S) Redirect URLs

Originator:johnbrayton
Number:rdar://35796658 Date Originated:2017-12-01
Status:Open Resolved:
Product:iOS + SDK / Safari Services Product Version:iOS 11.1
Classification:Suggestion Reproducible:N/A
 
SFAuthenticationSession provides a great mechanism for users to log in to web services via OAuth. Using SFAuthenticationSession for OAuth services that allow Redirect URLs with arbitrary URL schemes (myapp://) is straightforward.

Some web services only support Redirect URLs with HTTP or HTTPS URLs. Inoreader and Newsblur are two examples of such services. In order to support logging into such services with SFAuthenticationSession, a developer needs a server component that takes an authorization code and redirects it to a URL that uses the app’s URL scheme. Such a server component might redirect from https://oauth.myapp.com/ to myapp://.

The addition of such a server component is a significant security weakness. If the server is compromised, an attacker could gain access to authorization codes.

Apple could eliminate this need by allowing an SFAuthenticationSession to have a callbackURLPrefix (https://oauth.myapp.com/) instead of a callbackURLScheme. Apple could verify that the developer was authorized to intercept requests to the URL using the same apple-app-site-association mechanism it uses for universal links.

The end result would be a more secure login process for Apple’s customers.

Thank you.

Comments

Agree

Just adding my support to advocate for the recommended fix.

By jay492355 at Jan. 3, 2018, 6:47 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!