I am implementing Sign-in with Apple for a SaaS Android app and hitting design issues. We need to support SiwA on Android for users who use multiple platforms.
One complicating factor is the use of a POST-ed form to pass the code and token. Intercepting the redirect endpoint via an app intent-filter does not seem to work for POSTs. Using a webview with javascript injection may work but that level of hackery makes me squeamish. Here's the approach we are currently considering:
1. App sign-in-with-apple button launches a hosted "https://foo.com/signInwithApple.html" page in Android Chrome.
2. signInWithApple.html configures the request using Apple's .js library and immediately launches the flow
3. User signs in with Apple
4. Upon completion, post results to a hosted redirect endpoint: https://foo.com/redirect
5. The redirect endpoint extracts form data and immediately forwards to foo://bar?apple_token=123&code=456
6. Android intercepts the foo:// request via intent filter and receives apple_token (a JWT signed by Apple) and code
7. Client exchanges apple_token and code for an app session token via our https://foo.com/token endpoint
8. https://foo.com/token will verify apple_token against Apple's public key, validate the code using apple's auth/token endpoint, and return an app session token for the app user that maps to the user ID ("sub") in the JWT.