Authgear
Authgear
Home
Authgear
Getting Started
Authenticating HTTP request with Nginx
Integrate with a React Native app
How tos
Social Sign-on Integration
Add Privacy Policy & Terms of Service Links
Integrate with your backend
Concepts
User, Identity and Authenticator
How authgear integrate with your applications
Client App SDKs
Javascript SDK Reference
iOS SDK Reference
Android SDK Reference
APIs
API for Client Applications (OIDC 2.0)
Admin APIs
Deploy on your Cloud
Running locally with Docker
Deploying on Kubernetes
Multi-tenant mode on Kubernetes
Configurations
Security Concerns
Non-HTTP scheme redirect URI
Powered by GitBook

Non-HTTP scheme redirect URI

Implication of using non-HTTP scheme in redirect URI.

If your application is a mobile application, you can choose to use custom URI scheme in the redirect URI. Custom URI scheme redirect URI does not require verification. Therefore, it is possible that there is a malicious application installed on the user's device, which claims itself capable of handling your redirect URI.

The whole attack is as follows:

  1. The attacker generates a code verifier and a code challenge.

  2. The attacker somehow makes the victim to install a malicious application on their device. The malicious application registers the same redirect URI that your application is using.

  3. The victim somehow is mislead by the attacker to visit the authorization endpoint with the code challenge generated in Step 1.

  4. The victim completes the authorization code flow and the malicious application receives the authorization code.

  5. The malicious application uses the code verifier in Step 1 and the just received authorization code to exchange for an refresh token and an access token.

It is impossible to prevent malicious applications being installed on the user's device. However, we can mitigate this attack by not using custom URI scheme.

To do so, you can use Apple Universal Links and Android App Links.

Previous
authgear.secrets.yaml
Last updated 4 months ago