[aerogear-dev] External vs Embedded browser for OAuth2 libs and Cordova plugin

Matthias Wessendorf matzew at apache.org
Mon Nov 24 04:42:55 EST 2014 

On Mon, Nov 24, 2014 at 10:02 AM, Erik Jan de Wit <edewit at redhat.com> wrote:

>
> On 24 Nov,2014, at 9:43 , Corinne Krych <corinnekrych at gmail.com> wrote:
>
> I think the best approach is to go external browser, one of the main issue
> with embedded view is that the user stills have to enter credentials in
> native app. Although it might offer a better UX experience not switching
> apps, it’s seen as less secure. My preference would be to go external. On
> iOS, the re-enter app is solved using URI schema. The same approach is used
> fro Cordova plugin, the schema is configured in the config.xml cordova
> file.
>
>
> Yes, because when using a WebView the app could override onKeyDown and get
> your password:
>
> @Override
> public boolean onKeyDown <http://developer.android.com/reference/android/app/Activity.html#onKeyDown(int,%20android.view.KeyEvent)>(int keyCode, KeyEvent event) {
>     // I’m getting your password here
>     return super.onKeyDown(keyCode, event);
> }
>
>
> Obviously that it not what we do, but it could be done easy also by app
> that uses our oath2 library.
>

ha! cool :) that's a 'nice' feature :))




>
>
> @summersp @passos do you have plan to move to external browser?
>
> Erik started working on Oauth2 Android with embedded view, but if we’re
> planning to move to ext. browser maybe it's worth putting the plugin
> implementation on hold untill we got that?
>
>
> I guess because of the WebView I have to use the aar as a dependency for
> the plugin.
>

sounds like using external browser will not only help overall security, it
will also help our Cordova plugin.

one more reason, while the security one is a stronger argument ;-)



> This is not supported by cordova, but it will be supported in version 4.0
> So I hope that using the external browser will make using the aar no longer
> needed. As this will mean like for iOS a lot of manual steps needed to get
> the plugin to work and no JBDS support for this plugin.
>
> Cheers,
> Erik Jan
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>



-- 
Matthias Wessendorf

blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
twitter: http://twitter.com/mwessendorf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20141124/94ee9cd4/attachment.html

More information about the aerogear-dev mailing list