We have an app that uses a OAuth 2.0
for login. In our app, we're using AppAuth-Android
to implement this flow. As a redirect URI, we're using an HTTPS scheme link - https://example.com/oauthRedirect
, and added a digital asset links file at https://{domain}/.well-known/assetlinks.json
. We've confirmed that this verification succeeds when our app is installed, and found during our testing that the browser is dismissed and the user is redirected back to our application. But we have reports from our users that they aren't able to log in. For some reason the redirect app link isn't getting handled by the app.
The only way we've been able to reproduce this is by installing the app on airplane mode to force the intent filter verification to fail. But since this verification process is out of our control, what kind of counter-measures can we implement on our end to handle this edge case? I'm aware of Android 12 adding a new API to ask the user to manually enable link handling for our app, and plan on implementing this in case there is no better solution.
I'd love to find out if others have encountered this issue before, and how they handled it. Any help here would be greatly appreciated!
It's a good question, since logically app links should be the most mainstream mobile login mechanism in use for OAuth 2.0 secured apps:
USER GESTURE REQUIREMENT
If a user does an OpenID Connect redirect and is already signed in for another app, there will be no Chrome Custom Tabs user gesture, and the
not returning to the app
problem is well known. This can occur with private URI scheme based login responses, but in my experience is most common with HTTPS redirect URIs.POSSIBLE RESOLUTIONS
There are a few possible solutions you can try. You should test and see which you prefer both in terms of reliability and UX:
Use the OpenID Connect
prompt=none
parameter to force a login on every user redirectSome authorization servers may allow you to configure an authentication step of an acknowledgement page that runs after authentication, to force a user gesture
You can configure a consent screen to run on every user login, eg using
prompt=consent
You can use an interstitial page that receives the authorization code and then forwards it to the app using a deep link. My Android blog post does this since the authorization server used does not support the other options. You can run my code sample on an emulator or device and test the reliability.
REFERENCES
The Android AppAuth issues has quite a bit of feedback on this problem.
This Chrome Custom Tab issue from a mailing list discusses the issue.
This AppAuth Android example has some information on interstitial pages.
This Forge Rock iOS article discusses the need for an intermediate screen and links to this iOS issue. That is a different platform, but it is worth being aware that the same type of issue exists there also.