Is it possible to use custom scheme in OAuth redirect-uris?

Application Development
1

Hi,
Is it possible to use custom scheme in OAuth redirect-uris? This question has been asked by someone else 3 years ago but didn’t receive answer (here) (@pace).

I’m developping an Android App using OAuth for authentication on TTN servers.

I have spent a consequent time reading OAuth topics in the forum. I remember someone saying that it is mandatory to use http or https schemes for the redirect-uris but I can’t find it anymore. Can you please confirm if it is the case?

I have tried to use a custom scheme (“com.mycompanyname.lora-provisioning://oauth/callback”) and I get the following error:

{
  "code": 3,
  "message": "error:pkg/errors:url (invalid url `\"com.mycompanyname.lora-provisioning://oauth/callback\"`)",
  "details": [
    {
      "@type": "type.googleapis.com/ttn.lorawan.v3.ErrorDetails",
      "namespace": "pkg/errors",
      "name": "url",
      "message_format": "invalid url `{url}`",
      "attributes": {
        "op": "parse",
        "url": "\"com.mycompanyname.lora-provisioning://oauth/callback\""
      },
      "correlation_id": "aa6e09eaf561461b813c34842e5ffcf8",
      "code": 3
    }
  ]
}

For Android applications, it is important that we can use custom schemes. Let me explain why:
When implementing OAuth, the android application will have to setup a filter (called intent filter) allowing to get the application opened every times a given URL is called.
This mechanism will be used by the Android application in order to be launched when the OAuth callback is called.

The URI used for redirect-uris can start with:

  • http, https : This is Web Links
  • another custom scheme: This is Deep links.

Starting from Android 12, Google has done some important changes to Web links:
On Android 12 and higher, clicking a web link (that is not an Android App Link) always shows content in a web browser so the application doesn’t get opened.
To get the application open, the developer has to use a server URL that he does own and to designate itself as the default handler for this link. He will have to put something on the server to prove that he owns this link.
By this way, he is the only one who can intercept an URI and open his application instead.

There is no such security with Deep links (= URI starting with a custom scheme).
If TTN authentication accepts redirect-uris starting with a custom scheme, the android application can be launched when an URI starting with this custom scheme is called. So the user doesn’t have to implement the server stuff. This is much simpler.

I hope that my explanation will be clear enough and that you will understand the need.

2

Hello,
Any feedback about this request?
Thanks!

3

I’ve done web database / forms / apps since NCSA Mosaic and I can assure you that OAuth was designed by a committee that was only marginally more real world than the crew that made RequireJS and pretty much every other JS technology.

OAuth is fine for web apps, but just sucks everywhere else.

I’ve a desktop app I’m creating for tracking part levels at distributors & the Digi-Key use of OAuth means it’s been put to the bottom of the pile. The CLI login that TTI use creates a temporary web server on your computer to receive back the response to capture it so even TTI aren’t able to or be inclined to achieve your dream.

So the short answer is that you’re going to have to use your own server - which makes for an interesting security sequence to explain to your users.

Or, as suggested by one of my co-moderators, file an enhancement request with the TTI team.