5

Some mobile apps, notably Slack, are using magic urls for authentication. I'm having some trouble finding resources on implementation, and most importantly, whether android has a similar method for this.

My understanding is that the server would issue an e-mail with this magic link (something along the lines of app://gf234h23f4j234342342), the link will then be passed on to a registered app, which could then use this information to contact the server to get information on the user. Is this correct? If so, gmail seems to have issues recognizing this as a url, how is this resolved?

Cenoc
  • 11,172
  • 21
  • 58
  • 92

1 Answers1

4

One way of approaching this is to encode trusted data as a JSON web token (JWT) that's digitally signed. This is then passed to the server by the application, and the server verifies its authenticity.

As you've mentioned, Gmail and some other software doesn't recognise custom URL schemes like app://. To work around this, provide an HTTPS link to your server of a similar form (e.g. https://example.com/redirect/gf234h23f4j234342342), which then performs an HTTP redirect to the custom URL scheme using the information provided in the HTTPS URL. As an optimisation, you can also set up a universal URL on iOS 9+ in order to direct the HTTPS URL directly to your application without having to bounce through Safari.

This answer describes the Android approach in details.

Community
  • 1
  • 1
Jim
  • 72,985
  • 14
  • 101
  • 108