Does F5 Big IP Access Manager support mobile apps authenticating over OpenId Connect with custom URI redirect_uri?
Our native mobile app (iOS and Android) authenticates the user using the Authorization Code Grant flow. How it Works.
Our redirect_uri (ie callback uri) is: com.mckesson.wfm.ansos2go://signin
We are a software vendor in the Healthcare domain. Our customer who uses F5 Big IP says that this URI is considered invalid by F5 when configuring the OpenId Connect Service Provider. Is that true? If so, how do native mobile app developers perform OIDC authentication with F5?
UPDATE: I got word from my customer that they set up a rewrite policy, so they could enter the redirect_uri as https:/com.mckesson.wfm.ansos2go://signin. Then, they strip off the https:// in the response to the initial 'authorize' call. This is NUTS!
Why does F5 Big IP Access Manager require redirect_uri to be https://...? This totally breaks the OpenId Connect specification which says "The Redirection URI MAY use an alternate scheme, such as one that is intended to identify a callback into a native application."