Authgear
HomeGet Started
Search…
Authgear Docs
Get Started
Choose your authentication approach
Web SDK
React Native SDK
Flutter SDK
Xamarin SDK
Android SDK
iOS SDK
Backend Integration
tutorials
Single-Page App
Local Development Setup
Strategies
User, Identity and Authenticator
Passkeys
WhatsApp OTP Login
Social & Enterprise Identity Providers
Biometric login
Anonymous Users
Passwordless Login for Apple App Store Review
Ethereum & NFT
Integrate
Using SDK to call your application server
User Settings
User Profile
Reauthentication
How Authgear integrate with your applications
Single Sign-on on mobile devices
Force authentication on app launch
Account Deletion
Customize
Privacy Policy & Terms of Service Links
Branding in Auth UI
Custom domain
Custom Email Provider
Customer Support Link
Localization & UI Text
APIs
API for Client Applications (OIDC 2.0)
Admin APIs
Webhooks
Webhooks
Client App SDKs
Javascript SDK Reference
iOS SDK Reference
Android SDK Reference
Flutter SDK Reference
Xamarin SDK Reference
Deploy on your Cloud
Running locally with Docker
Deploy with Helm chart
Authenticating HTTP request with Nginx
Configurations
Security Concerns
Non-HTTP scheme redirect URI
Powered By GitBook
Non-HTTP scheme redirect URI
Implication of using non-HTTP scheme in redirect URI.
If your application is a mobile application, you can choose to use custom URI scheme in the redirect URI. Custom URI scheme redirect URI does not require verification. Therefore, it is possible that there is a malicious application installed on the user's device, which claims itself capable of handling your redirect URI.
The whole attack is as follows:
  1. 1.
    The attacker generates a code verifier and a code challenge.
  2. 2.
    The attacker somehow makes the victim to install a malicious application on their device. The malicious application registers the same redirect URI that your application is using.
  3. 3.
    The victim somehow is mislead by the attacker to visit the authorization endpoint with the code challenge generated in Step 1.
  4. 4.
    The victim completes the authorization code flow and the malicious application receives the authorization code.
  5. 5.
    The malicious application uses the code verifier in Step 1 and the just received authorization code to exchange for an refresh token and an access token.
It is impossible to prevent malicious applications being installed on the user's device. However, we can mitigate this attack by not using custom URI scheme.
To do so, you can use Apple Universal Links and Android App Links.
Previous
authgear.secrets.yaml
Last modified 1yr ago
Copy link