OAuth documentation should recommend against embedded browsers

[georgebrock]

The OAuth documentation contains some references to embedded browsers, e.g.

api-documentation-frontend/app/uk/gov/hmrc/apidocumentation/views/AuthorisationUserRestrictedEndpointsView.scala.html

Lines 261 to 263 in 87a8acb

	<p class="govuk-body">For details of which browsers we support for the authorisation journey see
	<a class="govuk-link" href="@controllers.routes.DocumentationController.referenceGuidePage().url#oauth-2.0-browser-support">
	OAuth 2.0 browser support</a>, especially if you use an embedded browser.

Using embedded browsers for OAuth authentication puts users at increased risk of phishing attacks. RFC 6819 § 4.1.4 describes the risk, and has several recommendations for mitigations, including:

Client developers should not write client applications that collect authentication information directly from users and should instead delegate this task to a trusted system component, e.g., the system browser.

For data as sensitive as tax information, integrators with HMRC should be encouraged to follow security best practices, and therefore should be advised not to use embedded browsers.

I suggest:

• Removing existing references to embedded browsers.
• Adding explicit guidance to avoid embedded browsers for OAuth authentication.