I'm looking into FIDO UAF (passwordless login) and wondering if there are any browsers supporting it. So far I have only found it used in native mobile apps.
Chrome, Edge and Firefox all have experimental support. You need to begin looking at the W3C Web Authentication standard, which is the pending industry standard that subsumed FIDO 2.0.
Here's a good overview of Edge support: https://blogs.windows.com/msedgedev/2016/04/12/a-world-without-passwords-windows-hello-in-microsoft-edge
See the Chrome feature status:
https://www.chromestatus.com/feature/5669923372138496
Related
As far as I know, currently it is not possible to disable cross-origin resource sharing restrictions in mobile safari. It would be great if this could be implemented or if someone knows how to do this. This would be an incredibly useful feature for automated testing of web applications on mobile Safari.
Yes I know that we can do it with Chrome:
Disable same origin policy in Chrome
And there are options to do it with desktop Safari:
https://stackoverflow.com/questions/4556429/disabling-same-origin-policy-in-safari#:~:text=Just%20enable%20the%20developer%20menu,restrictions%22%20from%20the%20develop%20menu.
And to do it manually on Mac for mobile Safari:
https://stackoverflow.com/a/72309627/16804973
But I need to do it within Appium/Selenium code and I do not find any equivalent to Chrome option "-diasble-web-security", because there is no such one for Safari: https://www.selenium.dev/selenium/docs/api/java/org/openqa/selenium/safari/SafariOptions.html
The last info I have found, was a request on Mac Developers page about this: https://developer.apple.com/forums/thread/80927
Does anyone has a solution for this nowadays?
I'll have an Identify Server as an STS. I'm trying to authenticate/authorize a trusted mobile app. Is Open ID Connect still a viable option ? I'm concerned about the usability (redirecting users to a url) as well as ios/android biometrics.
If Open ID Connect is still an option, what's the recommended flow for this scenario?
AppAuth is the clear direction if this is referring to a "Native Application" on a mobile device.
"It follows the best practices set out in RFC 8252 - OAuth 2.0 for Native Apps including using in-app browser tabs (like SFAuthenticationSession and Android Custom Tabs) where available. Embedded user-agents (known as web-views) are explicitly not supported due to the usability and security reasons documented in Section 8.12 of RFC 8252."
With Apple's upcoming ITP 2.0 in Safari 12, I (along with most other affiliate marketers) have to deal with merchants who haven't switched to first-party cookies.
A friend pointed out that all web apps in iOS run on top of Safari. While this is known to affect JS/CSS and rendering, does this also affect how cookies are read?
Will a Chrome user be able to accept third-party cookies on iOS?
[blocked] Access to geolocation was blocked over insecure connection to http://www.hnsjb.cn.
Should I change my website to the https protocol?
iOS 10 and also desktop Safari 10 seem to require https connection now. Safari also seems to be more strict than what Chrome did earlier. No mixed content warnings are allowed, Chrome allows e.g. map tiles to load over normal http.
I could not find any guideline specific to Safari, but this issue has been discussed by other web browsers as well.
In particular, the announcement about Google Chrome blocking geolocation over an insecure connection, published on developers.google.com in April 2016, under the last paragraph “I really need to use Geolocation. What should I do?”, advises:
If you would like to use the HTML5 Geolocation API, or if your site already uses the Geolocation API, please migrate the pages making Geolocation API calls to HTTPS, ensuring that they’re used in a secure context.
I would like to work with Google's .NET API while using OAuth 2.0 flow for devices.
I didn't find any way to use GoogleWebAuthorizationBroker or Create UserCredentials object in .NET when working with OAuth 2.0 flow for devices.
Is there a way to make the above requirement work? or should I use only REST API?
Thanks,
Ronen
Assuming you refer to this flow: https://developers.google.com/accounts/docs/OAuth2ForDevices, it is not supported in the Google APIs Client Library for .NET. So you need to build it yourself though you may be able to reuse large parts of Google's stuff.
Notice that the "OAuth 2.0 flow for devices" is not a standardized OAuth 2.0 flow, so support is not ubiquitous. Also, the Google says elsewhere:
If your app will run on devices that do not have access to a system
browser, or devices with limited input capabilities (for example, if
your app will run on game consoles, video cameras, or printers), then
see Using OAuth 2.0 for Devices.
If that's really your use case you should pursue my suggestions, otherwise you should switch to https://developers.google.com/accounts/docs/OAuth2InstalledApp (see the flow chart on the right side there as well).
The .NET client library for Google APIs supports OAuth 2.0 and it supports several devices including Windows Phone 8.1 and Windows Store applications.
The OAuth 2.0 documentation (including snippets) is available at: https://developers.google.com/api-client-library/dotnet/guide/aaa_oauth.
My obvious recommendation is to use the library, because it will refresh tokens for you automatically (using the stored refresh token) and it's a light OO library which will do a lot of "magics" for you (such as media upload).
By the way, our samples repository includes full sample for a universal app, take a look at Blogger.Sample for more details.