.png "Enhancing consumer security in OAuth flows via new OAuth Customized URI scheme restrictions — Google for Builders")
[ad_1]
Hyperlink copied to clipboard
Posted by Vikrant Rana, Product Supervisor
OAuth 2.0 Customized URI schemes are recognized to be weak to app impersonation assaults. As a part of Google’s steady dedication to consumer security and discovering methods to make it safer to make use of third-party functions that entry Google consumer information, we might be proscribing the usage of customized URI scheme strategies. They’ll be disallowed for brand spanking new Chrome extensions and can now not be supported for Android apps by default.
To guard customers from malicious actors who would possibly impersonate Chrome extensions and steal their credentials, we now not permit new extensions to make use of OAuth customized URI scheme strategies. As a substitute, implement OAuth utilizing Chrome Id API, a safer approach to ship OAuth 2.0 response to your app.
What do builders must do?
New Chrome extensions might be required to make use of the Chrome Id API technique for authorization. Whereas present OAuth shopper configurations will not be affected by this modification, we strongly encourage you emigrate them to the Chrome Id API technique. Sooner or later, we could disallow Customized URI scheme strategies and require all extensions to make use of the Chrome Id API technique.
By default, new Android apps will now not be allowed to make use of Customized URI schemes to make authorization requests. As a substitute, think about using Google Id Companies for Android SDK to ship the OAuth 2.0 response on to your app.
What do builders must do?
We strongly suggest switching present apps to make use of the Google Id Companies for Android SDK. Should you’re creating a brand new app and the advisable different doesn’t work on your wants, you possibly can allow the Customized URI scheme technique on your app within the “Superior Settings” part of the shopper configuration web page on the Google API Console.
Customers might even see an “invalid request” error message in the event that they attempt to use an app that’s making unauthorized requests utilizing the Customized URI scheme technique. They will be taught extra about this error by clicking on the “Be taught extra” hyperlink within the error message.
Builders will have the ability to see further error info when testing consumer flows for his or her functions. They will get extra details about the error by clicking on the “see error particulars” hyperlink, together with its root trigger and hyperlinks to directions on find out how to resolve the error.
Associated content material
[ad_2]