Is it possible to use Android App Links, starting with https://
such as: https://my-app.com/callback
to redirect back to my application from an Android WebView in the end of an OAuth2 flow? I know how normal deep links work, such as com.my-app://
or my-app://
can be used to redirect back to my app. According to my understanding, the WebView doesn't know how to handle such protocols, passes the request up to the OS, and the OS than passes the request to my application which handles this url if an adequate IntentFilter is provided in AndroidManifest.xml
.
Can this be done by a https://
scheme or the redirect will always be caught by the WebView and there's no way to redirect back to my app?
To specify what I want to achieve with steps:
- An IntentFilter is provided in
AndroidManifest.xml
to handle the app link, like:
<intent-filter android:autoVerify="true">
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="http" android:host="my-app.com/callback" />
<data android:scheme="https" />
</intent-filter>
- A valid
assetlinks.json
is provided athttps://my-app.com/.well-known/assetlinks.json
(at this point, theIntentFilterIntent
logs reveal that the validation of the JSON succeeds and I am able to open the app from the terminal with a command likenpx uri-scheme open https://my-app.com/callback
) - My app starts an OAuth2 flow by launching
CustomTabsIntent.launchUrl
with an url like:
https://accounts.google.com/o/oauth2/v2/auth?
scope=email%20profile&
response_type=code&
state=state&
redirect_uri=https://my-app.com/callback&
client_id=client_id
After these steps, I expect my app to open after a successful login because it is a valid handler of the url and don't want to be stuck in the browser. Is this possible, or the request will never be forwarded from the browser to the OS, because the browser is a valid handler of the https://
scheme?
If above is impossible, is there a way to navigate back from the WebView to the App, providing the auth_code
or the only way to do this is to use custom schemes?
It is definitely possible (and recommended) to use Claimed HTTPS Schemes like this, though I have not done so with a WebView.
The tricky part is that redirection back to the app won't work reliably without a User Gesture - something that the user clicks. The user experience and reliability are both a little tricky and you may need an 'interstitial' internet web page.
In mobile OAuth it is recommended to use the AppAuth Pattern, where the system browser is used to handle the redirect, so that the app never has access to credentials.
For further details see the below code sample, which you can run on an emulator. The sample links to some blog posts, which discuss pros and cons, so that you can see if this type of solution is to your liking: