[cshimmin]

This is perhaps a general question about 3rd-party auth, but how am I supposed to trust an app like this when I click "log in with google/github/etc"? I'm simply shown a new pane within the same application that could easily be a phishing attack. There's no way to verify who the hell I'm sending my user/pass to.

Is there some way for native apps to launch my preferred default browser to do this task?

(Note: this is by no means an accusation towards OP; I just tend not to type my gmail password into random apps I downloaded from strangers on the internet).

[r3bl]

> This is perhaps a general question about 3rd-party auth, but how am I supposed to trust an app like this when I click "log in with google/github/etc"? I'm simply shown a new pane within the same application that could easily be a phishing attack. There's no way to verify who the hell I'm sending my user/pass to.

I see this happening over and over again on my phone. Especially with Facebook logins.

[daveguy]

If you are already logged in with google/github/etc you shouldn't need to re-enter your password, just give approval. The authentication and association would be handled in the background. If you have to enter a password when you are already logged in then it is a huge red flag and you should probably run.

EDIT: Done correctly, "Log in with ..." should NEVER need your password for the site it will use separate authentication tokens to associate with your account. It may try to redirect you if you're not logged in, just make sure you log in by directly accessing the primary auth site first.

[cben]

Nice tip, thanks. But in this case it's wrapped in a destop app runtime distinct from my browser (Electron?), so there is no way to be already logged into Github/Google.

In an ideal world auth flows would always open in my system browser that I can trust. On both mobile and desktop.

(Well, technically I already installed a proprietary .deb and am running the process as my user, so game over.)