OAuth redirect with an App Link not working occasionally

Question

We have an app that uses a OAuth 2.0 for login. In our app, we're using AppAuth-Android to implement this flow. As a redirect URI, we're using an HTTPS scheme link - https://example.com/oauthRedirect, and added a digital asset links file at https://{domain}/.well-known/assetlinks.json. We've confirmed that this verification succeeds when our app is installed, and found during our testing that the browser is dismissed and the user is redirected back to our application. But we have reports from our users that they aren't able to log in. For some reason the redirect app link isn't getting handled by the app.

The only way we've been able to reproduce this is by installing the app on airplane mode to force the intent filter verification to fail. But since this verification process is out of our control, what kind of counter-measures can we implement on our end to handle this edge case? I'm aware of Android 12 adding a new API to ask the user to manually enable link handling for our app, and plan on implementing this in case there is no better solution.

I'd love to find out if others have encountered this issue before, and how they handled it. Any help here would be greatly appreciated!

Answer 1

It's a good question, since logically this should be the most mainstrean mobile login mechanism in use:

• Follows RFC8252 recommendations
• In line with Financial grade recommendations

USER GESTURE REQUIREMENT

You may already know this, but if a user does an AppAuth redirect and is already signed in for another app, there will be no Chrome Custom Tabs user gesture, and the not returning to the app problem is well known.

The solution is to show an interstitial page after login. This can be the OAuth consent screen, a custom Authorization Server screen, or a web page. The screenshots at the end of my Android blog post show how this looks.

GENERAL RELIABILITY

Although this is the secure way to do mobile logins, reliability remains a problem, eg if there is a bug in a particular Chrome Custom Tabs version. Currently my code example does not seem to work on emulators using SDK 31+, though I'm pretty sure my code is right, and Android 12 devices work correctly.