<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z0000A6f5FWCQYOkta Classic EngineSingle Sign-OnAnswered2025-05-27T09:00:20.000Z2024-04-23T23:24:09.000Z2024-04-25T16:09:44.000Z

j8emu (j8emu) asked a question.

April 23, 2024 at 11:24 PM
Best practices regarding SSO redirect url on IOS

Hello,

 

So we are trying to integrate OKTA SSO on an IOS app (.Net framework/WebAuthenticator).

 

We've set a custom url scheme in our app and added it to the OKTA config as a callback uri (ourapp:/callback), as per your documentation

 

https://developer.okta.com/code/ios/quickstart-appauth-swift/

https://developer.okta.com/blog/2023/06/21/net-maui-authentication

 

My question is simple

Is this considered good practice for production? does it pose a risk?

 

Thank you

  • 3 answers
  • 413 views

  • Mihai N. (Okta, Inc.)

    Hi @j8emu (j8emu)​ , Thank you for reaching out to the Okta Community! 

     

     This question is more appropriate for our dedicated Okta Developer Forum.

    My advice would be to reach out via devforum.okta.com to take advantage of their expertise.

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work). 

    That being said, I ran this by some of my developer colleagues and they mentioned that 

    best practice would be the reverse of your domain/anything i.e. com.oktapreview.johnny:/callback .

    The only real danger is if you happen to pick some custom schema and some user's device already has an application that also happened to register that exact custom schema.

    Also the path can be made more specific since there could be more than one type of callback like: com.mycompany.appname:/signin/callback

     

    I still, strongly recommend reaching out to the dedicated forum for further insights. 

     

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

  • Mihai N. (Okta, Inc.)

    Hi @j8emu (j8emu)​ , Thank you for reaching out to the Okta Community! 

     

     This question is more appropriate for our dedicated Okta Developer Forum.

    My advice would be to reach out via devforum.okta.com to take advantage of their expertise.

    While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-developer work). 

    That being said, I ran this by some of my developer colleagues and they mentioned that 

    best practice would be the reverse of your domain/anything i.e. com.oktapreview.johnny:/callback .

    The only real danger is if you happen to pick some custom schema and some user's device already has an application that also happened to register that exact custom schema.

    Also the path can be made more specific since there could be more than one type of callback like: com.mycompany.appname:/signin/callback

     

    I still, strongly recommend reaching out to the dedicated forum for further insights. 

     

     

     

     

    If my answer helped, remember to mark it as best to increase its visibility for other members of the Okta Community who might have the same questions as you. 

     

    Hope my answer helps! 

     

    --

    Help others in the community by liking or hitting Select as Best if this response helped you.

    Expand Post
    Selected as Best

  • j8emu (j8emu)

    Hello Mihai,

     

    Thank you very much for the swift and helpful answer. I have created a separate post on the dev forum (sorry for the mix up ^^)

     

    Alright i'll apply your recommendations regarding the full domain i think it's an excellent idea.

     

    The problem is that our systems admin insists that using a custom url scheme is "for getting an app to work quickly or test.. Not for production at all" and insists on having an https url. This shocked me as it is everywhere in your documentation. And for me it doesn't make any sens as using the com.ourcompany.ourapp is the only was to signal to the browser to return to the app.

     

    So how should we proceed in your opinion? are custom url schemes inherently risky? is there a 'proper' was to do the redirection using an https url?

     

    Thank you very much and if you want me to wait for the answer on the dev forum that would be OK.

     

    Expand Post

    • Mihai N. (Okta, Inc.)

      Hi @j8emu (j8emu)​ ,

      The devforum would be the best way to go with this as it's outside of my area of expertise.

       

      Regards.

      --

      Help others in the community by liking or hitting Select as Best if this response helped you.

      Expand Post
This question is closed.
Loading
Best practices regarding SSO redirect url on IOS