Some operating systems allow apps to claim "https" scheme RFC 7230 URIs in the domains they control. When the browser encounters a claimed URI, instead of the page being loaded in the browser, the native application is launched with the URI supplied as a launch parameter.
As the redirect_uri alone is not enough to distinguish OAuth Public Client native applications from OAuth Confidential Client, it is REQUIRED in RFC 8252 Section 8.4 that the OAuth 2.0 Client Type be recorded during OAuth 2.0 Client Registration to enable the Authorization Server to determine the OAuth 2.0 Client Type and act accordingly.
App-claimed "https" scheme redirect URIs have some advantages compared to other native app redirect options in that the identity of the destination app is guaranteed to the Authorization Server by the Operating System. For this reason, native apps SHOULD use them over the other options where possible.
Apps on platforms that allow the user to disable this functionality, or lack it altogether MUST fallback to using custom URI schemes.
More Information#There might be more information for this subject on one of the following:
- Custom URI scheme
- OAuth Public Client
- OpenID Connect Use Cases
- Private URI Scheme
- Private-Use URI Scheme Redirection
- Web Blog_blogentry_261215_1