Links on web site that can login into app with a token or fall back to web site

Question

There is a request to add a link to one of our websites that can open our mobile app on iOS or Android, and login to the app based by passing an authentication token in. If the apps do not exist on either platform I need it to fall back to the associated website.

From what I understand about universal links or deep linking, their intended purpose is to take you to a specific page within an app, not pass along parameters. Custom URL schemes seem to fit better, but also aren't supported the same way and falling back to the web is problematic.

If anyone has ever setup something like this and has resources I can look at it would be appreciated.

Thanks.

Answer 1

It is possible to build a deep linked authentication system like this, with a few important caveats:

1. The link that is used to open your app needs to be kept private. It is essentially a password at this point, so anyone with access to the URL of the link can use it to log in. You can mitigate this risk by using a link that expires after a specified length of time.
2. The contents of the link itself should be encoded so that if the data is snooped in transit, you don't inadvertently reveal something confidential. For example, you should pass through a token rather than the plain text password.
3. You need to be certain that the user who opens the app is the same one who clicked the link. This is easy if the app is already installed when the link is clicked, but if you want to do 'deferred deep linking' (meaning you want the behavior to work even if the app isn't already installed) then you need to be cautious of mismatches.

URI schemes and Universal Links don't support passing parameters, but they can be used to build a system like this (Slack uses URI scheme links for their famous 'magic link' mobile sign in process, for example). However, they only work if the app is already installed. Neither one will allow you to preserve context across install, which limits their usefulness.

Simpler, more powerful option

Branch.io (full disclosure: I'm on the Branch team) links can be used to power an experience like this. Unlike URI schemes and Universal Links, we do allow you pass real key:value parameter pairs with each link, and we have by far the best matching accuracy in the field. I would do the following:

1. Generate a link on your website using Branch. Include a unique token in the link as a parameter. You can use the Branch web SDK for this (it even as a built-in sendSMS() function), or go straight to the API.
2. Store that unique token on your own backend.
3. When the app opens, you'll get the parameter back as link data. Check for Branch's +match_guaranteed parameter to make sure you have the correct user (see the blog post above for more info on how this is verified).
4. If +match_guaranteed comes back true, verify the returned token against the value stored on your backend and log the user in. If false, or the token doesn't validate, handle the error (likely by asking the user to log in manually).

To make this extra secure, store the token in your backend with an expiration timestamp (perhaps 5-10 minutes) and don't permit the automatic authentication if the link is stale. This will prevent a URL from being found somewhere later on and reused, and will also make sure nothing bad happens if someone later retrieves the contents of the link.