Many mobile and desktop computing platforms support inter-app communication via URIs by allowing Applications to register Private URI Scheme (sometimes colloquially referred to as "custom URI scheme") like "com.example.app". When the browser or another app attempts to load a URI with a Private URI Scheme, the Application that registered it is launched to handle the request.
To perform an OAuth 2.0 Authorization Request with a Private-Use URI Scheme Redirection, the Native application launches the browser with a standard Authorization Request, but one where the redirection URI utilizes a Private URI Scheme it registered with the Operating System.
When choosing a URI scheme to associate with the app, apps MUST use a URI Scheme based on a DNS Domain name under their control, expressed in Reverse domain name notation, as recommended by Section 3.8 of RFC 7595 for Private URI Schemes.
For example, an app that controls the domain name "app.example.com" can use "com.example.app" as their scheme. Some Authorization Servers assign client identifiers based on DNS Domain names, for example,
When there are multiple Applications by the same publisher, care must be taken so that each URI Scheme is unique within that group. On platforms that use Application identifiers (GUID) based on reverse domain name notation, those identifiers can be reused as the Private URI Scheme for the redirect_uri to help avoid this problem.
Following the requirements of Section 3.2 of RFC 3986, as there is no naming authority for Private-Use URI Scheme Redirection, only a single slash ("/") appears after the scheme component. A complete example of a redirect URI utilizing a Private URI Scheme is:
More Information#There might be more information for this subject on one of the following:
- Claimed Https Scheme URI Redirection
- Custom URI scheme
- OAuth Public Client
- Web Blog_blogentry_261215_1