Authgear
Authgear
Home
Get Started
Authgear Docs
Get Started
Choose your authentication approach
Web SDK
React Native SDK
Android SDK
iOS SDK
Backend Integration
Strategies
User, Identity and Authenticator
Social Identity Providers
Biometric login
Integrate
Using SDK to call your application server
User Settings
User Info
Reauthentication
How Authgear integrate with your applications
Customize
Privacy Policy & Terms of Service Links
Customer Support Link
Branding in Auth UI
Custom domain
APIs
API for Client Applications (OIDC 2.0)
Admin APIs
Webhooks
Webhooks
Client App SDKs
Javascript SDK Reference
iOS SDK Reference
Android SDK Reference
Deploy on your Cloud
Running locally with Docker
Deploying on Kubernetes
Multi-tenant mode on Kubernetes
Authenticating HTTP request with Nginx
Configurations
Security Concerns
Non-HTTP scheme redirect URI
tutorials
Single-Page App
Local Development Setup
Powered by GitBook

Non-HTTP scheme redirect URI

Implication of using non-HTTP scheme in redirect URI.

If your application is a mobile application, you can choose to use custom URI scheme in the redirect URI. Custom URI scheme redirect URI does not require verification. Therefore, it is possible that there is a malicious application installed on the user's device, which claims itself capable of handling your redirect URI.

The whole attack is as follows:

  1. The attacker generates a code verifier and a code challenge.

  2. The attacker somehow makes the victim to install a malicious application on their device. The malicious application registers the same redirect URI that your application is using.

  3. The victim somehow is mislead by the attacker to visit the authorization endpoint with the code challenge generated in Step 1.

  4. The victim completes the authorization code flow and the malicious application receives the authorization code.

  5. The malicious application uses the code verifier in Step 1 and the just received authorization code to exchange for an refresh token and an access token.

It is impossible to prevent malicious applications being installed on the user's device. However, we can mitigate this attack by not using custom URI scheme.

To do so, you can use Apple Universal Links and Android App Links.

Previous
authgear.secrets.yaml
Next - tutorials
Single-Page App
Last updated 8 months ago