Automatic return from Vipps or MobilePay app
This flow is designed for web pages. It will return users to a browser after completing the login in the Vipps or MobilePay app. This requires the merchant to handle the user session across browsers.
This flow has security implications and is not suited for every scenario. Merchants must make their own considerations to ensure that it is only used where suitable.
Due to how the various mobile operating systems handle app-switch to browser, the user can be returned to a different browser than the one he/she started in.
On iOS, the user can, for example, start the login in Chrome and be returned to Safari after confirming in the Vipps or MobilePay app. This means that the merchant site cannot rely on cookies being present in the browser the user is returned to.
By using this flow, Login will be able to complete the login process even if the user ends up in a different browser. However, the merchant**must ensure that logins can complete, even without session information, such as cookies.*
This flow can be enabled per login by adding the parameter
requested_flow=automatic_return_from_vipps_app to the Authorize request.
It is not possible to give a single description that ensures secure use of this flow for all scenarios. The suggestions given here may not apply to every scenario and must be considered in relation to the specifics of the implementation.
The state parameter passed in the OAuth2 authorize endpoint request can carry some information from the start of a login until the callback. The state parameter cannot be thought of as a direct replacement of a user agent bound session.
Some relevant considerations:
- Always use PKCE.
- Avoid logging the callback URI.
- Session fixation. Be aware of what is possible to set up before a login is started.
- Login CSRF. Be aware if it's possible to input sensitive information after a login.
- The state parameter and CSRF. Be aware of the recommendations of the OIDC/OAuth standards.
Verify that users being returned to a browser different from where the login started are handled as expected. Test starting the login in private/incognito mode, as this will have similar effects as being returned to a different browser.