Proper Mobile OAuth Flows for Single Sign On
MisterJimson opened this issue · 4 comments
Feature request
Proper Mobile OAuth Flows for Single Sign On
Is your feature request related to a problem? Please describe.
From what I can tell from the docs and examples, the current OAuth flow for SSO login is designed around web support and isn't ideal for mobile apps.
The standard mobile flow is:
Accept OAuth Prompt
Choose or Login to Account within a web dialog
Lastly, the OAuth redirect is typically a deep link to the app content, like appname://com.example.appname
Currently with Supabase Auth, the docs recommend use url_launcher to open the OAuth web page, and redirect to the site configured in the Supabase UI.
The supabase UI doesn't accept explicit app deep links as a valid redirect:
Its possible to have a website that does the redirect for you (example: https://github.com/MisterJimson/weak-plan-login-landing/blob/main/index.html), but this isn't secure implementation and results in a less than idea user experience. The user needs to leave your app and gets a strange prompt on a website. Also the tab is leftover in the user's browser, that they have to manually close later.
Here is a sample of that flow:
https://user-images.githubusercontent.com/7351329/117548393-c6671680-b002-11eb-9cc4-46c8b68c9cd8.mov
Describe the solution you'd like
A proper mobile oauth solution built in, similar to https://github.com/MaikuB/flutter_appauth/tree/master/flutter_appauth
Describe alternatives you've considered
Examples of alternatives above
Additionally ProviderOptions redirectTo seems to have no effect.
this has been implemented on the auth backend and we have an internal ticket open for adding this to the dashboard: linking here for the team https://github.com/supabase/infrastructure/issues/959
you can now add this in the additional auth redirect but make sure you add the exact URI (including protocol and path) reverse URIs are also accepted
make sure you add the query param redirect_to or the Referer header to the URI in the SignIn request
quick note here: I believe if the comma separated list (Additional Redirect URLs) contains whitespace, the item with whitespace does not work as a redirect (in my tests it falls back to the site url)