Some questions I took an opportunity to ask in this Twitter thread:
-
How bad would it be to include a very short-lived OTP in a custom protocol URL link inside a web page, which takes user from their default browser to a locally installed native desktop app (say, Electron or WPF based)? So they don't have to authenticate again within the native app. More context here.
-
Most native desktop apps (e.g., MS Teams) don't seem to follow RFC8252 that requires to use external user-agents (i.e. default browsers) for authorization flow. Instead, they "cheat" and use their own internal
WebView
to host the external OAuth providers web UI. What's the reason behind this choice? Is this only because it's allegedly considered user-unfriendly to lauch the default browser? Should the industry come up with some