Box mobile SDKs and upcoming redirect url change
Hi
In light of the recent box announcement over stricter enforcement of redirect urls, we're trying to update our mobile apps (that use Box's SDKs) to work. We have one mobile app, available on both iOS and Android, and they both use the same OAuth2 client_id.
The situation seems to be:
a. The iOS Box SDK, https://github.com/box/box-ios-sdk, only supports custom scheme urls in the form boxsdk-<clientid>://
b. The Android Box SDK, https://github.com/box/box-android-sdk, does not support custom scheme redirect Uris (i.e. you can't use boxsdk-<clientid>:// urls.
c. The Box developer console only allows one redirect uri to be set per client id
So we seem to be stuck. We can't fix this. What is boxes recommendation to proceed?
The options seems to be:
1) Box update developer console to allow multiple redirect uris
2) Box update one of the mobile SDKs to so that there's a form of redirect uri that will work with both SDKs
3) We change either our iOS or Android app to use a different client id and hence can use a different redirect url - we will presumably forcibly logging out any logged in users as the refresh tokens will not be usable by a different client, I think we may end up with a second marketplace entry for the app, and I'm not sure if there are other considerations, e.g. users will also be required to re-consent to sharing.
Can Box advise how we should proceed please?
Thanks
Joseph
-
Hi Joseph,
There is currently an issue filed with the iOS SDK for supporting a single application redirect that would allow a custom scheme URI for iOS and not for Android, which is actively being researched. This would be the method that we would be targeting for supporting this functionality (your option #2). Unfortunately the restrictions on blank OAuth 2 redirect URIs will most likely be imposed before that release can go out.
Given that, what I'd recommend is your option #3, which would essentially mean creating a separate OAuth 2 application for one of the mobile environments (I'd recommend the one with the lowest customer volume). Just ensure that in doing so that the redirect URI in the application configs exactly matches the redirect URI used in the application code.
- Jon
Please sign in to leave a comment.
Comments
1 comment