In an effort to get my head around how OAuth2 actually work's I've written a test identity service (ASP.NET Core 3) with an /authorize and a /token endpoint. I also wrote a Xamarin iOS text client to see how it all could work out. The client calls the authority (/authorize) endpoint with the typical OAuth2 Authorization Code grant request, passing all the required query parameters, such as clientid, clientSecret ... bla ... bla and redirect_uri. Having accepted the request (it's just for testing so trust or actual security is not an issue here...) my authority then sends a 302 (redirect) back to the passed redirect_uri. Assuming the redirect_uri = testauth://go-here I added testauth as a custom URI scheme for my Xamarin iOS client (info.plist) and went ahead to override AppDelegate.OpenUrl to catch the redirect from Safari.
Everything seems to be working fine up until Safari gets the redirect to testauth://go-here. Instead of simply invoking the overridden AppDelegate.OpenUrl it pushes a dialog asking for the user's permission to open the test client app. But even if I accept the navigation request nothing else happens and a few seconds later iOS (in simulator) kills my app for some reason.
I have used ADAL previously for Azure-based OAuth2 grant flows, which has worked fine, but somehow I must be doing something differently than ADAL because I get a different behavior.
Can someone help me understand what goes on in Safari and iOS? Why is Safari asking for permisson to open the app that initiated the original request (this doesn't happen with ADAL) and is the AppDelegate.OpenUrl not invoked?
Are there any nuances in the redirect flow I might have missed?