Yeah, that makes sense security wise.
Ben Botto

My expectation was that the app developer would use their own redirectURL, and point it to a server/address they controlled.

Ideally the InAppBrowser should not auto follow redirects without first giving the application a chance to respond to the event, meaning the redirectURL would never actually get loaded. This unfortunately is not currently implemented, or even planned afaik.

Also worth noting is the fact that the callbackURL is called with an authorization code, which can only be exchanged for a token if you have the client secret, so I am not sure how much of a risk this is.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.