Use "app link" for redirect

App-claimed "https" scheme redirect URIs have some advantages
compared to other native app redirect options in that the identity of
the destination app is guaranteed to the authorization server by the
operating system. For this reason, native apps SHOULD use them over
the other options where possible.

https://tools.ietf.org/html/rfc8252#section-7.2

It seems this is something we have to do, but how is this enforced? is this something that needs "domain validation" in the play store? Or how does that work?

https://developer.android.com/training/app-links/index.html

Seems only supported Android >= 6. I think currently we require Android >= 5 for the app. Is it okay to update the requirements to Android >= 6? Android < 6 is no longer supported in any way by Google.

I did manage to get it to work at some point, but now it is broken again. No idea what is going on, it won't return to the correct place in the app, i.e. it will go back to the "add provider" page and not to the main screen.

It is strange that you need to override the manifest with a "scheme" but you can't specify app links directly with this method with AppAuth so you DO have to modify the manifest of the app itself as well, so it seems there are now two ways to specify it. Ugly!

What is your idea about this? Is this feasible?

[dzolnai]

Seems only supported Android >= 6. I think currently we require Android >= 5 for the app. Is it okay to update the requirements to Android >= 6? Android < 6 is no longer supported in any way by Google.

I think users would prefer compatibility with older devices with having the drawback of a less secure redirect. If we use custom tabs, then the redirect goes back to the app immediately, so this is only the case with the default browser AFAIK.

I did manage to get it to work at some point, but now it is broken again. No idea what is going on, it won't return to the correct place in the app, i.e. it will go back to the "add provider" page and not to the main screen.

That should be easily fixable, we can detect if the app is opened from a URI scheme, and then open the correct screen.

It is strange that you need to override the manifest with a "scheme" but you can't specify app links directly with this method with AppAuth so you DO have to modify the manifest of the app itself as well, so it seems there are now two ways to specify it. Ugly!

I'm not entirely sure I understand what you mean, but with adding the scheme under an activity in the Manifest, you tell the system that the specific activity can be opened via that URL scheme you just added.
If multiple apps specify the same scheme, then the system provides a chooser.
App links is an extension to this system, where you upload a special file to a specific URL, by this you make a statement to the system that you are the owner of the website, and the given app belongs to you, so the system should not even ask which app to open.

I think users would prefer compatibility with older devices with having the drawback of a less secure redirect. If we use custom tabs, then the redirect goes back to the app immediately, so this is only the case with the default browser AFAIK.

For security software it makes sense to only support the versions of Android that are still supported and receive security updates... Not sure what is the lowest version that still receives (monthly) updates? Does e.g. the Fairphone actually fix security issues after Google stops supporting an Android version? Not sure what makes sense here...

App links is an extension to this system, where you upload a special file to a specific URL, by this you make a statement to the system that you are the owner of the website, and the given app belongs to you, so the system should not even ask which app to open.

It would be nice to implement this (using the HTTPS URL) because then we can disable the "authorize" dialog for the Android app! If this is not a (big) problem. then I guess it makes sense to go for it! :)

[dzolnai]

Not sure what is the lowest version that still receives (monthly) updates?

This is manufacturer-dependent, but it is usually 2 years after release of the device.
I would say, maybe 8.0 is getting some updates still.

Does e.g. the Fairphone actually fix security issues after Google stops supporting an Android version?

Probably not.

It would be nice to implement this (using the HTTPS URL) because then we can disable the "authorize" dialog for the Android app! If this is not a (big) problem. then I guess it makes sense to go for it! :)

The problem with this is, it only works with https redirect URIs. Right now our URI is org.eduvpn.app:/api/callback. I see there was a similar problem for iOS so maybe it is time for Android to switch too?

https://github.com/eduvpn/vpn-user-portal/blob/v2/src/OAuthClientInfo.php#L42

'https://android.app.eduvpn.org/api/callback',  // Android >= 6

Could this work?

[dzolnai]

Looks good to me!
The json file needs to placed to https://android.app.eduvpn.org/.well-known/assetlinks.json in this case.

If you can provide the contents of what needs to be in there exactly I can put it there :)