Skip to main content

Appendix A. Server Support Checklist

OAuth servers that support native apps must:

  1. Support private-use URI scheme redirect URIs. This is required to support mobile operating systems. See Section 7.1.

  2. Support "https" scheme redirect URIs for use with public native app clients. This is used by apps on advanced mobile operating systems that allow app-claimed "https" scheme URIs. See Section 7.2.

  3. Support loopback IP redirect URIs. This is required to support desktop operating systems. See Section 7.3.

  4. Not assume that native app clients can keep a secret. If secrets are distributed to multiple installs of the same native app, they should not be treated as confidential. See Section 8.5.

  5. Support PKCE [RFC7636]. Required to protect authorization code grants sent to public clients over inter-app communication channels. See Section 8.1

Last updated on