That question is hardly related to AppLinks assetlinks.json appears not to be used for validation
I am implementing Oauth2 apps on Android. I would like to do SSO (single sign-on) and I have a concern about AppLink to secure the Autorization Code.
The native app, through the browser, initiate an Authorization Request and then receive an Authorization Response containing the Authorization Code. According to RFC6749#section-4.1.2, the code is passed inside the URL:
Location: https://client.example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
Authorization Code is a sensitive piece of information because it allows a client to fetch an Access Token and Refresh Token and then access to a protected ressource.
To protect that code, the native app must implement https scheme redirects (RFC8252#section-7.2 & section-8.1). On Android, that must be done using the assetlinks.json file
But according to the related question linked at the top, app links on Android seems not to be 100% secure, because the OS may not verify the https scheme.
In that context, how are we supposed to implement Oauth2 authorization code hook ?
According to @benjamin anwser, AppLink is not for security. But, the related threat use-case is the following : a malicious app is installed and uses the "SSO Cookie" to get the Auth Code
and exchange it for AT+RT
. It seems to me that nothing in the process can prevent that case: if applink is not for security, how does the Authorization Server can be aware that this app is a malicious app ?
Note: By SSO-Cookie, I mean the use of CustomTab to do SSO on Android.
It's not the AppLinks functionality that guarantees security. When you configure the /.well-known/assetlinks.json
file it allows a transparent redirect to the application without any user interaction. This means that the modal dialog that usually appears to chose which application the user would like use to handle the link won't pop.
As you stated, this mechanism can be bypassed if the user chooses to handle your link with another app or your app is not yet install. The user needs to go to the phone setting in order to achieve this :
Settings > Apps > choose the application which can handle the Authorization Code link > Open by default > Open supported links in this app > choose Always allowThis way a third party application can catch the information contained in your link, in your case the Authorization Code.
That been said, it's actually the Proof Key for Code Exchange (PKCE) that guarantees security of Authorization Code. Your server must implement this feature in order to mitigate unwanted Authorization Code replays. A little reminder on the OAuth authorization steps using PKCE :
/authorization
endpoint with a hashed random string and the method which was used to hash it. The client keeps the random string (not hashed) because it will used in the step 3./token
endpoint with random string generated in step 1./token
request, extracts the random string and hashes it with the method stored in step 2. Then the server must checks that this hashed string matches the one stored in step 2. If the strings are the same, the server responds with an Access Token and a Refresh Token, otherwise with an error.This is how the PKCE ensures that the client that made the /authorization
request it's the same client that will make the /token
request. So even if a third party app captures your Authorization Code it can't use it to retrieve Acess Tokens.
For more informations see : PKCE (rfc 7636) and OAuth 2.0 for Native Apps (rfc 8252)