OAuth 2.0 Authorization Code Grant fails when using In-App Browser

p1ass · 2022-04-03T06:24:43.846Z

I try to use OAuth 2.0 Authorization Code Grant Flow on my iPhone, but the callback fails.

Reproduction

Open the following link in the In-App browser. ttps://oauth-playground.glitch.me/?id=createTweet&compose=1 (removing h)
Tap the “Run” button.
Redirect to the Twitter official app automatically.
Redirect to iOS default browser automatically.
Authorize.
Redirect to callback URL, but authorization has not been successful.

Guess

We use the “state” associated with the user agent for preventing CSRF attacks.
The state is associated with In-App browser in step 2, but the callback URL is opened by another user agent in step 6.

Since it is likely that a website using the Twitter API will be opened in a browser within an official Twitter app, we would like to be able to authorize it correctly.

Is there any way to ensure that the authorization is done correctly?

dewey · 2022-04-03T09:32:55.091Z

Hey, this seems to be a similar problem what @takke is experiencing here where the URL is captured by the wrong app:

OAuth 2.0 PKCE authentication URL is stolen by official apps Security & authorization (OAuth)

We are trying to add OAuth 2.0 Authorization Code Flow with PKCE to our Twitter client for Android. I opened the URL for the actual authentication in my browser. val url = "https://twitter.com/i/oauth2/authorize?response_type=code&client_id=M1M5R3BMVy13QmpScXkzTUt5OE46MTpjaQ&redirect_uri=https://www.example.com&scope=tweet.read%20users.read%20follows.read%20follows.write&state=state&code_challenge=challenge&code_challenge_method=plain" val intent = Intent(Intent.ACTION_VIEW, Uri.parse…

p1ass · 2022-04-06T13:56:45.124Z

Hi, @dewey.

I check the linked topic and it is a similar issue as you say.

In the web application, it seems to be worked to open in Safari or Chrome before starting the authorization flow as workground.

OAuth 2.0 PKCE authentication URL is stolen by official apps Security & authorization (OAuth)

I’m glad to see that the issue has been shared with Twitter’s OAuth team. I’ve tried several workaround methods and implemented the following two methods. Open in Chrome browser if available. If no Chrome browser is available, find a browser other than the official Twitter app and open it. This workaround requires a relatively deep understanding of how Android works. Therefore, it would be appreciated if the official application itself provides OAuth 2.0 PKCE authentication or behaves corre…

This issue has been acknowledged by Twitter’ OAuth team, so I look forward to improving it in the future.