Solved: Oauth2 redirect url dynamic address - Page 2

Report Inappropriate Content · 10-13-2016 05:50 AM

Dear all,

it may be silly question but i am stucked with following doubt:

mobile apps have dynamic address because installed on smartphone. So what should the callbackURL in Apigee Edge? Should i leave that blank and only pass it in the OAuth2 3-legged flow during token creation process? If so, apigee says that this case should only be used for trusted apps:

http://docs.apigee.com/api-services/content/oauthv2-policy

Please advice.

thanks lot,

Antonio

ozanseymen

Hi @antonio bruno

There are mainly 2 ways of doing this with mobile apps:

Use temporary credentials concept where server generates a code and asks the user to type it in the app. App will then go to the server with this code and get tokens. This is mostly done when app cannot listen on external requests coming in.
You register a "custom URI scheme" on iOS or define an "Intent" on Android. Both will be used by the mobile browser to start your app. You register that URI in Apigee during application on-boarding. When OAuth handshake starts, you will start the browser and point it to the authorization endpoint. User will interact with the browser. Server will then respond with a 302 redirect to mobile browser with your custom URI scheme or Intent target in Location header. Mobile browser will then wake your app to handle the rest.

There are a lot of content, tutorials, tips and tricks on both approaches on the net - including heated discussions on _very custom_ URI schemes and global namespacing. I'd recommend you read those before implementing this.

View solution in original post