authorizeUrl does not support using a redirect uri that contains a custom url scheme
JacobF7 opened this issue · 4 comments
Describe the problem you'd like to have solved
When calling AuthApi.authorizeUrl the redirect uri cannot make use of a custom url scheme (useful in Mobile Applications) because this validation: Asserts.assertValidUrl(redirectUri, "redirect uri") checks that the URL contains http or https.
Describe the ideal solution
Ideally, when calling AuthApi.authorizeUrl the redirect uri should be able to use custom url schemes (e.g. com.example.myapp://redirect)
👋 hi @JacobF7, you are correct that the redirect URI is validated for http or https schemes, as this library targets Java server-side applications. We have the Auth0.Android library for Android apps; would you mind sharing your use case and/or why that library doesn't satisfy your requirements? Thanks!
Hi @jimmyjames. Thank you for your response.
To provide some context, we offer our users a native mobile application (iOS/Android) as well as a web application. Our authentication layer from both types of applications is delegated to a backend Java server. We would like that both applications handle social logins and hence why the redirect url for the mobile app needs to contain a custom url scheme.
Thanks for the info @JacobF7. Even if the redirect URL were to support custom URL schemes, I wonder if there will be other issues by delegating auth to this library for use by mobile apps, as the authentication API client in this library targets web app authentication. The Auth0.Android and Auth0.Swift libraries target the distinct needs of authentication for mobile applications, such as supporting public clients (no secret), PKCE+code flow, etc.
I may not fully understand your architecture, could you explain how your login flow from a mobile works exactly and why it doesn’t deal with auth0 directly? We wouldn't want to signal support for a use case that could lead to other issues, now or in the future as we make additional changes.
As a workaround, you can create authorize (and logout) URL manually. There may still be other issues encountered for reasons discussed above, however. Closing this issue with the suggested workaround.