Universal Login failing with Scheme URL redirect on specific device

We’re finding a specific user is not able to login using Universal Login. The redirect back to the app is using a scheme url (demo://{yourDomain}/android/YOUR_APP_PACKAGE_NAME/callback) and seems to be picked up by Firefox (not by the app), clicking open doesn’t seem to do anything.

This is happening for an Android user, using a Samsung device, on Android 13. No other users have reported the issue so we believe it may be the users settings that are interfering with the scheme url, however we’ve not been able to recreate the issue.

Is anyone aware of any Android specific settings that could cause issues like this?

We’ve already looked in to the following and they don’t seem to cause the same issue:

It’s also worth noting that this user has AVG Anti Virus running on his device, from what I can see this shouldn’t cause issues but as it’s a paid app we’ve not been able to try and recreate with it installed.


After a bit more investigation, it seems that this issue actually starts earlier, for some reason Auth0 Universal Login is being opened in firefox rather than a WebView.

Does any one have any ideas what might cause this to happen?

for some reason Auth0 Universal Login is being opened in firefox rather than a WebView.

I’ve also been seeing this with recent versions of Firefox and the Auth0 SDK. To the best of my knowledge, there are several things going on:

  1. Universal Login from auth0 intentionally makes use of the actual browser instead of a webview. See the “Mobile Apps and Security” part of the Pros and Cons comparison table between universal login and embedded login
  2. Universal login for mobile apps is essentially an implementation of IETF RFC 8252, the RFC rfc referenced in the table in the pros and cons table. Section 6 of the RFC recommends making use of custom tabs, if they are available
  3. Firefox supports custom tabs on Android, and has for several years (I can tell you this as a Firefox for Android user!)
  4. Firefox for Android has a setting called “Open in other apps”. Users can set this to one of “always”, “ask”, or “never”; if the user sets this to “ask”, they’ll see a dialog before Firefox launches the intent to view the content in the app. If the user has the settings set to “never” there will be an option to open the browser page in app in the settings for links that support it.

That’s the basics anyways. If you’re using a custom scheme auth0 universal login links should “just work” at this point if the user has things set to always or ask.

Unfortunately, this gets more complex if you’re attempting to use an Android app link and claimed https scheme. I’ve been unable to get the redirects to work in Firefox when using this method, even though they would work if I manually paste the links into the address bar. Basically, current versions of Firefox seem to prohibit redirecting into a native app with claimed https schemes, while they allow it with custom ones. I couldn’t completely tell you why, as theoretically app links are more secure because they require matching a signing key hash, but Mozilla may have made this decision out of concern for users privacy. You’d have to ask them. I just spent a week on this exact thing though, so if you’re frustrated by it I understand, lol.

1 Like