Investigate how to use HTTPS URL for redirect

[ghost]

App-claimed "https" scheme redirect URIs have some advantages
compared to other native app redirect options in that the identity of
the destination app is guaranteed to the authorization server by the
operating system. For this reason, native apps SHOULD use them over
the other options where possible.

https://tools.ietf.org/html/rfc8252#section-7.2

It seems this is something we have to do, but how is this enforced? is this something that needs "domain validation" in the iTunes store? Or how does that work?

[jeroenleenarts]

@fkooman I'm unsure what you are referring to? Is it related to the oAuth flow?

[ghost]

Yes. Currently you are using the app URI I guess, i.e. org.eduvpn.app:/api/callback. It is also possible to claim a "real" URL as a redirect_uri, e.g. https://ios.app.eduvpn.org. I am assuming there is some way to register this in the app and also have an approval process when submitting the app to the app store so only we can claim this URL and no other app developer. This allows us to disable the "confirmation dialog" for OAuth because we are really sure only the official app can claim https://ios.app.eduvpn.org`.

I am not exactly sure how this works, hence the investigate :)

[ghost]

App-Claimed https URL Redirection

Some platforms, (Android, and iOS as of iOS 9), allow the app to override specific URL patterns to
launch the native application instead of a web browser. For example, an application could register
https://app.example.com/auth and whenever the web browser attempts to redirect to that URL, the
operating system launches the native app instead.

If the operating system does support claiming URLs, this method should be used. This allows the
identity of the native application to be guaranteed by the operating system. If the operating system
does not support this, then the app will have to use a custom URL scheme instead.

https://www.oauth.com/oauth2-servers/redirect-uris/redirect-uris-native-apps/

[ghost]

Aha, some more details: https://developer.apple.com/library/content/documentation/General/Conceptual/AppSearch/UniversalLinks.html

[jeroenleenarts]

AppAuth claims to support universal links, so this is something we can investigate and implement. https://github.com/openid/AppAuth-iOS

[jeroenleenarts]

@fkooman To implement this we need to do a couple things:

1. Decide upon which domain to use for universal linking. For example: eduvpn.org or eduvpn.nl
2. Choose a path on this domain. For example: /auth/app/redirect
3. Create a site association file as described on the Apple Developer documentation. (Please be aware to add assiciations for both my testing app as the release app.)
4. Implement the client part of this.

[jeroenleenarts]

@fkooman This need to be published on a domain of EduVPN. It needs to be visible on the internet with a GET request to: https://<domain>/.well-known/apple-app-site-association

No extension. MIME type should be: application/json.

Also, it HAS to be visible on a secure (HTTP) connection with a valid certificate. It does not matter if it is visible on HTTP protocol. Also, the order of the file is significant.

{
    "applinks": {
        "apps": [],
        "details": [
            {
                "appID": "T4CMEHXPLL.nl.eduvpn.app.EduVPN.test.appforce1",
                "paths": [ "/auth/app/redirect/development/"]
            },
            {
                "appID": "ZYJ4TZX4UU.org.eduvpn.client",
                "paths": [ "/auth/app/redirect/"]
            }
        ]
    }
}

[jeroenleenarts]

@fkooman Also, "Associated Domains" needs to be enabled on the App ID in the developer portal:

[ghost]

I guess we need to decide on a domain name first. The client_id is currently org.eduvpn.app.ios. Can we use that again in reverse? i.e.: ios.app.eduvpn.org and put the .well-known file there?

[ghost]

Which redirect URIs should then be supported for this OAuth client? I'm guessing https://ios.app.eduvpn.org/auth/app/redirect/ and https://ios.app.eduvpn.org/auth/app/redirect/development/?

[ghost]

$ curl -i https://ios.app.eduvpn.org/.well-known/apple-app-site-association
HTTP/1.1 200 OK
Date: Wed, 07 Mar 2018 11:15:18 GMT
Server: Apache
X-Xss-Protection: 1; mode=block
Content-Security-Policy: default-src 'self'
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=63072000; includeSubdomains;
Referrer-Policy: same-origin
Last-Modified: Wed, 07 Mar 2018 11:10:53 GMT
ETag: "1c6-566d09ccb8395"
Accept-Ranges: bytes
Content-Length: 454
Content-Type: application/json

{
    "applinks": {
        "apps": [],
        "details": [
            {
                "appID": "T4CMEHXPLL.nl.eduvpn.app.EduVPN.test.appforce1",
                "paths": [
                    "/auth/app/redirect/development/"
                ]
            },
            {
                "appID": "ZYJ4TZX4UU.org.eduvpn.client",
                "paths": [
                    "/auth/app/redirect/"
                ]
            }
        ]
    }
}

[efef]

"Associated Domains" has been enabled for org.eduvpn.client