5

Is it possible to use Android App Links, starting with https:// such as: https://my-app.com/callback to redirect back to my application from an Android WebView in the end of an OAuth2 flow? I know how normal deep links work, such as com.my-app:// or my-app:// can be used to redirect back to my app. According to my understanding, the WebView doesn't know how to handle such protocols, passes the request up to the OS, and the OS than passes the request to my application which handles this url if an adequate IntentFilter is provided in AndroidManifest.xml.

Can this be done by a https:// scheme or the redirect will always be caught by the WebView and there's no way to redirect back to my app?

To specify what I want to achieve with steps:

  1. An IntentFilter is provided in AndroidManifest.xml to handle the app link, like:
<intent-filter android:autoVerify="true">
 <action android:name="android.intent.action.VIEW" />
 <category android:name="android.intent.category.DEFAULT" />
 <category android:name="android.intent.category.BROWSABLE" />
 <data android:scheme="http" android:host="my-app.com/callback" />
 <data android:scheme="https" />
</intent-filter>
  1. A valid assetlinks.json is provided at https://my-app.com/.well-known/assetlinks.json (at this point, the IntentFilterIntent logs reveal that the validation of the JSON succeeds and I am able to open the app from the terminal with a command like npx uri-scheme open https://my-app.com/callback)
  2. My app starts an OAuth2 flow by launching CustomTabsIntent.launchUrl with an url like:
https://accounts.google.com/o/oauth2/v2/auth?
 scope=email%20profile&
 response_type=code&
 state=state&
 redirect_uri=https://my-app.com/callback&
 client_id=client_id

After these steps, I expect my app to open after a successful login because it is a valid handler of the url and don't want to be stuck in the browser. Is this possible, or the request will never be forwarded from the browser to the OS, because the browser is a valid handler of the https:// scheme?

If above is impossible, is there a way to navigate back from the WebView to the App, providing the auth_code or the only way to do this is to use custom schemes?

f4z3k4s
  • 966
  • 7
  • 13
  • what is the `redirect_uri` in Mobile App flow when it wants to send the credentials (i.e. access token and refresh token) toward the backend side? is it a backend endpoint or not? – Benyamin Jafari Jul 23 '22 at 13:32
  • I am not sure I understand your question correctly, but I try to help. Redirect_uri should be an url that your application claims through an IntentFilter so the OS knows to redirect that uri to your app, whenever that uri is called. This is not a backend endpoint. This redirect_uri is needed for the Authorization Request not the Token Request. Authorization Request gives back a `code` to your app that that can be later used in the Token Request to get back the access_token and refresh_token you are talking about. – f4z3k4s Jul 25 '22 at 09:28
  • thank you for your response, maybe [this post](https://stackoverflow.com/questions/73075156/what-exactly-is-redirect-uri-in-google-oauth2-request-for-getting-authorization) could represent my question better – Benyamin Jafari Jul 25 '22 at 11:47
  • Actually, I thought redirect_uri should be my backend `/callback` endpoint because I want google calls my `/callback` endpoint in the backend to have access token here in the backend and store it into db. – Benyamin Jafari Jul 25 '22 at 11:49
  • I'll respond on your question. – f4z3k4s Jul 25 '22 at 12:34

3 Answers3

0

It turns out <data android:scheme="http" android:host="my-app.com/callback" /> was wrong and instead of this, <data android:scheme="http" android:host="my-app.com" android:path="/callback" /> should be used. android:host should never contain the path. I confirmed it is working well without any additional user gesture, just like if it were a plain deep-link. The browser actually recognizes that this url is a claimed url and forwards the response to the app.

f4z3k4s
  • 966
  • 7
  • 13
0

OAuth best practices

For authorizing users in native apps, the best current practice is to perform the OAuth authorization request in an external user-agent(typically the browser) rather than an embedded user-agent (such as one implemented with web-views

  • Your application should NOT use a Android WebView. Instead, use a implicit intent to redirect the user to the browser to login

Redirect URI

  • When defining redirect URIs inside of an intent filter, they should follow this pattern: <scheme>://<host>:<port>[<path>|<pathPrefix>|<pathPattern>|<pathAdvancedPattern>|<pathSuffix>]
  • if you had a redirect URI of https://my-app.com/callback. The intent filter would be:
<intent-filter>
  <action android:name="android.intent.action.VIEW" />
  <category android:name="android.intent.category.DEFAULT" />
  <category android:name="android.intent.category.BROWSABLE" />
  <data
   android:host="my-app.com"
   android:scheme="https"
   ndroid:path="/callback"
   />
</intent-filter>

Example

  • I have written a blog post, HERE, about using OAuth with the GitHub API in Android
Tristan Elliott
  • 594
  • 10
  • 8
-1

It is definitely possible (and recommended) to use Claimed HTTPS Schemes like this, though I have not done so with a WebView.

The tricky part is that redirection back to the app won't work reliably without a User Gesture - something that the user clicks. The user experience and reliability are both a little tricky and you may need an 'interstitial' internet web page.

In mobile OAuth it is recommended to use the AppAuth Pattern, where the system browser is used to handle the redirect, so that the app never has access to credentials.

For further details see the below code sample, which you can run on an emulator. The sample links to some blog posts, which discuss pros and cons, so that you can see if this type of solution is to your liking:

Community
  • 1
  • 1
Gary Archer
  • 22,534
  • 2
  • 12
  • 24
  • Thank you, the RFC ensured me that this is possible. – f4z3k4s Apr 28 '21 at 12:22
  • what is the `redirect_uri` in Mobile App flow when it wants to send the credentials (i.e. access token and refresh token) toward the backend side? is it a backend endpoint or not? – Benyamin Jafari Jul 23 '22 at 13:32