Allow custom scheme for Redirect URI's

Custom URL schemes are much less secure than universal app links - best to use those instead. Can then have a fallback on the URL which directs back through a URL scheme. Also bear in mind the data is posted rather than provided as URL params.

The problem with using App Links is they require Android 6.0 or higher, which just isn't that realistic for many app developers. Given this restriction, it's one thing to include the use of app links as an optional feature, it's another to require it for something like sign in for an app.

The way Google's oauth works on mobile is using the authorization code grant flow, however they add in PKCE support and they do NOT require the client secret for keys registered as Android or iOS apps. This is a bit safer than the old implicit flow, and they do allow custom URI schemes so you can redirect back to your app with the auth code to exchange for an access token right from the device.

It would be really helpful to android developers to allow the same type of flow with Apple Sign In.

As it stands, I can actually currently make sign in work in an android app (yes, the auth code is returned in the url fragment of the redirect), but I'm a) storing the client secret IN the app, and b) hosting the sign in flow in a webview instead of using the system browser or custom tabs (similar to SFSafariViewController). This is a really bad practice, and if developers aren't given a better option there's a good chance many will take this route.

Hi Redth, QQ:

> yes, the auth code is returned in the url fragment of the redirect

How did you manage this? There's nothing of note in the url or query string in my experience so far.