Why does the PrinterOn mobile application require a reply URL with a printeron.net domain? - c06229994
PrinterOn is making use of a new technology on the mobile device called Universal Links , or Deep Links . This new technology allows the PrinterOn application to exchange the token with the IDM/SSO (Identity Management/Single-Sign-On) provider more secure.
To make use of this new technology PrinterOn has configured the PrinterOn mobile applications with the value: https://sentinel.printeron.net/oauthredirect as an application link. This tells the mobile device operating system that whenever that link is followed during the OAuth process it should be treated differently, ie not followed. Instead the operating system goes to https://sentinel.printeron.net/oauthredirect and checks a file hosted there to see if the PrinterOn mobile application is allowed to use that application link. If the PrinterOn application is allowed to access the link (PrinterOn has not restricted any links at this point) then the device operating system sends the token response directly to the PrinterOn mobile application (rather than out of the device). The PrinterOn mobile application receives the token exactly as if the redirect was sent to 127.0.0.1.
How is it more secure?
Unauthorized applications that exist on the mobile device cannot put itself in the middle of the communication between the PrinterOn mobile application and the IDM/SSO provider.. The mobile device operating system goes outside to the PrinterOn domain that PrinterOn controls and checks that list of allowed apps, then checks on the device to see if the one asking to receive information is included and has our provisioning installed (and not tampered with). If the application isn't on the list or doesn't pass validation the application is ignored and will not get the token response.
Applies to PrinterOn Enterprise 3.x and later.