Use Android App Link as an OAuth2 Redirect URI

Question

Is it possible to use Android App Links, starting with https:// such as: https://my-app.com/callback to redirect back to my application from an Android WebView in the end of an OAuth2 flow? I know how normal deep links work, such as com.my-app:// or my-app:// can be used to redirect back to my app. According to my understanding, the WebView doesn't know how to handle such protocols, passes the request up to the OS, and the OS than passes the request to my application which handles this url if an adequate IntentFilter is provided in AndroidManifest.xml .

Can this be done by a https:// scheme or the redirect will always be caught by the WebView and there's no way to redirect back to my app?

To specify what I want to achieve with steps:

1. An IntentFilter is provided in AndroidManifest.xml to handle the app link, like:

<intent-filter android:autoVerify="true">
 <action android:name="android.intent.action.VIEW" />
 <category android:name="android.intent.category.DEFAULT" />
 <category android:name="android.intent.category.BROWSABLE" />
 <data android:scheme="http" android:host="my-app.com/callback" />
 <data android:scheme="https" />
</intent-filter>

2. A valid assetlinks.json is provided at https://my-app.com/.well-known/assetlinks.json (at this point, the IntentFilterIntent logs reveal that the validation of the JSON succeeds and I am able to open the app from the terminal with a command like npx uri-scheme open https://my-app.com/callback )
3. My app starts an OAuth2 flow by launching CustomTabsIntent.launchUrl with an url like:

https://accounts.google.com/o/oauth2/v2/auth?
 scope=email%20profile&
 response_type=code&
 state=state&
 redirect_uri=https://my-app.com/callback&
 client_id=client_id

After these steps, I expect my app to open after a successful login because it is a valid handler of the url and don't want to be stuck in the browser. Is this possible, or the request will never be forwarded from the browser to the OS, because the browser is a valid handler of the https:// scheme?

If above is impossible, is there a way to navigate back from the WebView to the App, providing the auth_code or the only way to do this is to use custom schemes?

Answer 1

It is definitely possible (and recommended) to use Claimed HTTPS Schemes like this, though I have not done so with a WebView.

The tricky part is that redirection back to the app won't work reliably without a User Gesture - something that the user clicks. The user experience and reliability are both a little tricky and you may need an 'interstitial' internet web page.

In mobile OAuth it is recommended to use the AppAuth Pattern , where the system browser is used to handle the redirect, so that the app never has access to credentials.

For further details see the below code sample, which you can run on an emulator. The sample links to some blog posts, which discuss pros and cons, so that you can see if this type of solution is to your liking:

• Code Sample

Answer 2

It turns out <data android:scheme="http" android:host="my-app.com/callback" /> was wrong and instead of this, <data android:scheme="http" android:host="my-app.com" android:path="/callback" /> should be used. android:host should never contain the path . I confirmed it is working well without any additional user gesture, just like if it were a plain deep-link. The browser actually recognizes that this url is a claimed url and forwards the response to the app.