[Openid-specs-ab] AppAuth: Anyone having issue with redirect back to apps?

Kosuke Koiwai kkoiwai at gmail.com
Wed Jun 14 04:21:17 UTC 2023 

Thanks Joseph and DW,

I'll try it when I encounter the issue next time.

Kosuke

On Wed, Jun 14, 2023 at 11:01 AM David Waite
<david at alkaline-solutions.com> wrote:
>
> To diagnose I would personally:
>
> 1. Ask for a screen recording of the issue
> 2. Ask them to kill (swipe up) and try again with the app to see if they can reproduce
> 3. Request sysdiagnose
>
> ASWebAuthenticationSession is really built to use custom URI rather than claimed HTTPS, but we’ve typically used a mobile-app-specific claimed HTTPS redirect URI which, if rendered, navigates to the custom URI.
>
> The launching the system browser will also always try to render one page, even if it is a claimed HTTPS URI. You can make the SSO process too seamless.
>
> -DW
>
> On Jun 13, 2023, at 1:32 PM, Joseph Heenan via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
> 
> Hi Kosuke
>
> For iOS, probably the next thing I would try is to gather sysdiagnose from a device that has had the issue recently:
>
> https://download.developer.apple.com/iOS/iOS_Logs/sysdiagnose_Logging_Instructions.pdf
>
> This may reveal something about why the link association has failed to establish.
>
> Thanks
>
> Joseph
>
> On 12 Jun 2023, at 13:29, Kosuke Koiwai <kkoiwai at gmail.com> wrote:
>
> Hi Joseph,
>
> Thanks for the tip!
>
> Yes it is much less than 10% but still not negligible considering the user base.
> We force-call Chrome so third party browsers shouldn't be the cause.
> Don't see any trend regarding OS/browser versions, device makes, etc.
> (except, a certain Chrome&Android version had a bug in past handling
> app links from CustomTabs.)
> The deeplinks are called from a different subdomain.
> Our users are mostly in Japan and the AAPA/assetinks files are intact,
> I checked with the CDN (i.e.
> https://app-site-association.cdn-apple.com/a/v1/yourdomain.com).
> but I acknowledge that there might be an issue at the client side.
>
> Usually the issue recovers after re-installation of the app, device
> restart or a few hours of wait, but in a rare case these remedies
> don't work.
>
> Kosuke
>
> On Mon, Jun 12, 2023 at 7:14 PM Joseph Heenan <joseph at authlete.com> wrote:
>
>
> Hi Kosuke
>
> I presume it’s still a relatively small number of user (<10%)?
>
> I do work with customers that occasionally see issues like this, but quite often a bit of data is necessary to narrow down the issue.
>
> Problems I have seen in the past:
>
> Custom URL schemes fail on <2% of Android devices, with Samsung browser being a common theme (solution: use claimed https urls)
> Deeplinking fails to establish if the .well-known/apple-app-site-association is geoblocked in a way that prevents it being fetched for some clients (the fetch for this file usually comes from Apple’s servers from a region intended to be close to the region the user is believed to be in, not from the user’s device - solution: don’t geoblock trivial config files)
> Deep linking is, at best, unreliable if the deep link is launched from a web page on the same hostname (solution: put the redirect uris on different hostnames/domains from the AS)
> Deep linking is, at best, unreliable if the deep link is launched from somewhere that is not a direct result of a user action (so e.g. a top level redirect is okay, a link the user clicks on is ok, but assigning to window.location in the result handler for a xmlhttprequest is getting dodgier)
>
>
> And probably others that I don’t immediately remember :)
>
> My usual approach (after checking for some of the standard things) is to start gathering some data - if you know that it’s certain OS versions, certain browsers, certain locations, that gives you something to investigate.
>
> Thanks
>
> Joseph
>
>
> On 12 Jun 2023, at 03:52, Kosuke Koiwai via Openid-specs-ab <openid-specs-ab at lists.openid.net> wrote:
>
> Hi all,
>
> I'm having an issue that not a negligible number of users can't
> redirect back to native (Android/iOS) apps after OIDC login sessions
> on ChromeCustomTab/ASWebAuthenticationSession.
> Most users can successfully login, but some fraction of users can't,
> and I have not been able to reproduce the issue.
>
> Occurs with both HTTP schema (AppLinks/Universal Links) and custom URL schema.
> I'm wondering if anyone has the same issue.
>
> Thanks,
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab

More information about the Openid-specs-ab mailing list