logto
logto copied to clipboard
logto-io
bug: Expo client cannot use expo go redirect_uri
Describe the bug
Expo Go app uses "exp" scheme for uri. For example: exp://192.168.3.137:8081. But logto use validation fails for this.
Expected behavior
The client accepts such redirect_uris
How to reproduce?
Just try to set the example uri from the example given above.
Hi @artalat , this is intended by Logto, since your app is a native app, you need to use a reverse domain name notation for your scheme according to the RFC when using OAuth 2.0.
Hi @xiaoyijun , thank you for your response. But this distrupts the Expo development process. As Expo's offical Expo Go app uses this scheme. In Expo, for managed workflow apps, development is done on Expo Go. So this is a problem.
Besides, if the OS is not enforcing this limitation, why should Logto?
@artalat, on which platform did you execute Expo Go? If it was iOS, you can define a custom redirect URI e.g. app.my//callback and pass it to the AuthSession instead of the default exp://XXXX one, which should unblock your development.
However, I'm afraid that this won't work on Android. Custom redirect URIs might not invoke the Expo Go app correctly on Android.
To conduct testing on Android, you'll need to build an Android package instead of relying on Expo Go, and set the custom scheme in the App.json file. This ensures everything works properly on the production packages.
The private use native client scheme is restricted by the OAuth2.0 spec.
For private-use URI scheme-based redirects, authorization servers SHOULD enforce the requirement in Section 7.1 that clients use schemes that are reverse domain name based. At a minimum, any private-use URI scheme that doesn't contain a period character (".") SHOULD be rejected.
Let me know if this helps.
@simeng-li Thanks for your detailed response, apart from the hassle this causes, my point is if the OS/platform allows setting a scheme without a ".", Logto shouldnt enforce this restriction for those specific OS/Platforms