AppAuth-Android icon indicating copy to clipboard operation
AppAuth-Android copied to clipboard
verified publisher icon openid

Is there a guidance or a suggested way on how to safely deliver the deeplink which carries the redirect URI to an app ?

Open Ch0pin opened this issue 2 years ago • 0 comments

Configuration

  • Version: 0.11.1
  • Integration: native
  • Identity provider:N/A

Description

My point is that by using what is on the README (assuming that I am not missing something important), any app can imitate another app by using the client id along with the redirect uri. In case two apps are using the same redirect scheme, the intent will be delivered to the "legit" app assuming that the user can identify the legitimate component in the ambiguity dialog. In case, though, that the legitimate app is not installed on the device the auth code will be delivered to the app that 'claims' the redirect uri in its manifest.

So I am asking if there is a way or a safer implementation when it comes to delivering the deeplink back to the authorised application.

Ch0pin avatar Jul 19 '23 09:07 Ch0pin