How to perform Oauth in your Android app when relying upon Chrome Custom Tabs and an HTTPS redirect

This is going to be a short post about a problem I had been facing for the past couple of days in a side-project of mine.


I needed to integrate Todoist’s Sync APIs in a project. To authenticate, Todoist uses standard Oauth processes. For fairly understandable reasons, Todoist requires HTTPS redirects post authentication.

Previously, I used to just use a WebView that would catch the redirection post authentication, and go ahead with the rest of the process. However, Google has for a while now forbidden signing into Google accounts in a WebView to ensure safety of their users. This forces developers to rely upon Chrome Custom Tabs, or just plain browsers as well.

This caused me a few problems:

  1. I actually needed to host a site that Todoist redirected to
  2. From a UX perspective, I needed a way that the site redirected to the app directly


After a bit of research, it proved fairly straightforward. To host a site, I simply used Firebase Hosting. I don’t even really need to create a website — simply creating a project and enabling Hosting gives me a HTTPS URL that I can point Todoist to. We will need to a host a JSON file, which I’ll get to in a moment.

The second part is the trickier one — I need a way for the site to now communicate to the app. Essentially, I need a redirect from Chrome Custom Tabs to the Android app. For this, I relied upon Android app links. Android app links essentially allow your app to claim ownership of a URL.

The simplest way to set up App Links is using the assistant tool in Android Studio. Following the process there enabled me to fairly easily set up the required intent filter as well as the code in the activity to catch the incoming intent data.

All I needed to do now was host the generated JSON file on our Firebase project. This is fairly simple as well, since all we need to do is install the Firebase command line tool, initialize Firebase in a folder that contains the JSON file, and deploy the site. You can follow the process described here.

Putting all of this together, I now had an Android app that performed Oauth with Todoist inside a Chrome Custom Tab that, once authenticated, redirected the user to an activity in my app. The one limitation of this is that relying on App Links means we’re restricted to API 23+.

To support other users, you probably would want to have an actual webpage at the URL where Todoist redirects your user. This URL can then attempt to redirect to a deeplink in your app, and also allow the user to open the app through a button on the page. It’s good practice anyway, just in case the App Link fails.

Again, Firebase Hosting will be fairly useful here since the web page doesn’t need to be overly complicated. Building out this web page also allows you to serve users without Chrome on their devices, if that is a requirement.