OAuth redirect with an App Link not working occasionally

Question

We have an app that uses a OAuth 2.0 for login. In our app, we're using AppAuth-Android to implement this flow. As a redirect URI, we're using an HTTPS scheme link - https://example.com/oauthRedirect, and added a digital asset links file at https://{domain}/.well-known/assetlinks.json. We've confirmed that this verification succeeds when our app is installed, and found during our testing that the browser is dismissed and the user is redirected back to our application. But we have reports from our users that they aren't able to log in. For some reason the redirect app link isn't getting handled by the app.

The only way we've been able to reproduce this is by installing the app on airplane mode to force the intent filter verification to fail. But since this verification process is out of our control, what kind of counter-measures can we implement on our end to handle this edge case? I'm aware of Android 12 adding a new API to ask the user to manually enable link handling for our app, and plan on implementing this in case there is no better solution.

I'd love to find out if others have encountered this issue before, and how they handled it. Any help here would be greatly appreciated!

Answer 1

It's a good question, since logically app links should be the most mainstream mobile login mechanism in use for OAuth 2.0 secured apps:

• Follows RFC8252 recommendations
• In line with Financial grade recommendations
• You get a correct access token with which to call APIs once login completes

USER GESTURE REQUIREMENT

If a user does an OpenID Connect redirect and is already signed in for another app, there will be no Chrome Custom Tabs user gesture, and the not returning to the app problem is well known. This can occur with private URI scheme based login responses, but in my experience is most common with HTTPS redirect URIs.

POSSIBLE RESOLUTIONS

There are a few possible solutions you can try. You should test and see which you prefer both in terms of reliability and UX:

• Use the OpenID Connect prompt=none parameter to force a login on every user redirect

• Some authorization servers may allow you to configure an authentication step of an acknowledgement page that runs after authentication, to force a user gesture

• You can configure a consent screen to run on every user login, eg using prompt=consent

• You can use an interstitial page that receives the authorization code and then forwards it to the app using a deep link. My Android blog post does this since the authorization server used does not support the other options. You can run my code sample on an emulator or device and test the reliability.

REFERENCES

• The Android AppAuth issues has quite a bit of feedback on this problem.

• This Chrome Custom Tab issue from a mailing list discusses the issue.

• This AppAuth Android example has some information on interstitial pages.

• This Forge Rock iOS article discusses the need for an intermediate screen and links to this iOS issue. That is a different platform, but it is worth being aware that the same type of issue exists there also.