Thanks for the post, Jesse. What is https://phonegap.com/authCallback? Just a dummy/placeholder URL? When the user gets redirect back there, doesn’t that endpoint then have the chance to intercept tokens and such? Shouldn’t the user get directed directly back to the mobile application?
By the way, what is the security implication of adding support for custom schemes in InAppBrowser, specifically when the intent is to return to the app that initiated the InAppBrowser to begin with?