I am building the OpenId-Connect (OIDC) Provider to support SSO on Web Application, iOS Application, Android application.
After the OIDC Provider authenticated user, it will redirect user back to the Application (Web, iOS, android) with authorization-code. Client will use the authorization-code to obtain the token.
For the Web Application, I know the redirect-uri is the Web Application URL, eg: https://client-web-application-url/oauth-callback. The OIDC Provider will redirect user back to this URL including the authorization-code on the query string.
However, for the iOS and android application, I don't know what its redirect-uri to redirect to. I only know the iOS Bundle Id and the android Package Name.
How can I build the redirect-uri for the iOS and android application? The OIDC Provider need to redirect user back to the application with the authorization-code.
The most mainstream option is to use the AppAuth pattern from RFC8252 and a private URI scheme value registered with the mobile operating system, such as this. The URL is also registered against the client in the OIDC provider:
com.mycompany.myapp:/callback
My blog posts will get you up and running with a basic sample: