How to handle redirect url for mobile application - OAuth 2.0 Authorization Code Flow with PKCE

Question

we are trying to build an android mobile application that would use OAuth 2.0 authorization code flow with PKCE.
while reading more about this, I found we have to pass redirect URL where it would return a code. for web applications, it would make sense to have redirect URL, but how we could have it for mobile application.
some of the colleagues suggested using an in-app browser that would do this job. but I don't want to use a browser in my application at all.

can someone please suggest the best way to implement this.

Answer 1

In the past, developers used a custom scheme (e.g. myapp://) to catch the redirection response (i.e. 302 Found) on the client side.

However, malicious developers found a way to steal an authorization code from the custom-scheme invocation process. It is called "authorization code interception attack". RFC 7636, aka PKCE, has been developed as a countermeasure for the attack. See this article for technical explanation.

A new way recommended in BCP 212 is Claimed https Scheme URI Redirection. See Section 7.2 for details.

Vendor-free solutions are AppAuth-* (such as AppAuth-iOS and AppAuth-Android) which are available at https://github.com/openid/ .

Finally, note that in-app browsers won't work for OAuth any longer. See this article for the background of prohibition of in-app browsers.

Answer 2

You can use the Okta Android SDK to create your own UI for login. https://github.com/okta/okta-oidc-android#Sign-in-with-your-own-UI