My point is that by using what is on the README (assuming that I am not missing something important), any app can imitate another app by using the client id along with the redirect uri. In case two apps are using the same redirect scheme, the intent will be delivered to the "legit" app assuming that the user can identify the legitimate component in the ambiguity dialog. In case, though, that the legitimate app is not installed on the device the auth code will be delivered to the app that 'claims' the redirect uri in its manifest.
So I am asking if there is a way or a safer implementation when it comes to delivering the deeplink back to the authorised application.
Configuration
Description
My point is that by using what is on the README (assuming that I am not missing something important), any app can imitate another app by using the client id along with the redirect uri. In case two apps are using the same redirect scheme, the intent will be delivered to the "legit" app assuming that the user can identify the legitimate component in the ambiguity dialog. In case, though, that the legitimate app is not installed on the device the auth code will be delivered to the app that 'claims' the redirect uri in its manifest.
So I am asking if there is a way or a safer implementation when it comes to delivering the deeplink back to the authorised application.