> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-feat-update-styling-docs-for-universal-components.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to use universal links rather than custom URL schemes to verify the legitimacy of authentication data.

# Measures Against Application Impersonation

Native applications use the [Authorization Code Flow with PKCE](/docs/get-started/authentication-and-authorization-flow/authorization-code-flow-with-pkce) authentication flow and employ a `redirect_uri` to return control to the application after login. After the URI loads in the device’s browser, the application typically opens automatically to allow the user to continue their journey.

Historically, mobile application used [custom URI schemes](https://developers.google.com/identity/protocols/oauth2/native-app#installed_app_redirect_methods) (e.g., `com.mycompany.myapp://oauth2redirect`). However, custom URI schemes pose a risk as more than one application on the device can register the same scheme. Mobile OSs do not include built-in mechanisms to ensure the application receiving the redirect is the intended one. In this scenario, malicious apps impersonate legitimate ones and receive the authorization response (including tokens) without user awareness, especially if single sign-on (SSO) is active due to the existence of a previous legitimate session, in which additional user interaction is not required. PKCE doesn't really help in these scenarios, as the malicious application can initiate the login flow and wait to receive the callback without user interaction.

Applications running on a local machine (e.g., desktop apps, CLIs) use the loopback interface for callbacks (e.g., [http://127.0.0.1:51089/callback](http://127.0.0.1:51089/callback) or [http://localhost:61024/callback](http://localhost:61024/callback)) are similarly at risk. In this case, another application on the same machine could listen on the same port to intercept the response.

We refer to both custom URI schemes and loopback URIs as Non-Verifiable Callback URIs because the authorization server cannot verify the receiving application in either scenario.

## Recommended mitigations for mobile applications

### Claimed HTTPS URIs (Universal Links / App Links)

Modern mobile OSs support **claimed HTTPS URIs** allows you to associate a website domain you control with your mobile app. Claimed HTTPS URIs are known as:

* Universal Links on iOS
* App Links on Android

Claimed HTTPS URIs ensure only your application handles the associated callback URL and protects against unauthorized access to sensitive authentication data.

<Note>
  Auth0 **strongly recommends** using claimed HTTPS URIs as redirect URIs for all native applications.

  * For iOS: Review [Support Universal Links](https://developer.apple.com/documentation/xcode/allowing-apps-and-websites-to-link-to-your-content/#Support-universal-links).
  * For Android: Review [Android App Links](https://developer.android.com/training/app-links).
</Note>

## Recommended mitigations for all application

Auth0 cannot verify the legitimacy of the application receiving the authentication transaction results if:

* Your application is unable to support claimed HTTPS URIs due to required compatibility with older mobile OS versions
* Your application is a desktop or CLI application

As defined in the [OAuth2 for Native Apps](https://datatracker.ietf.org/doc/html/rfc8252#section-8.6) specification, Auth0 provides a mechanism to show a confirmation prompt to the user. Users confirm the application receiving the authentication result is the one they intended to access. When a non-verifiable callback URI is in use, the user is prompted to verify the application on each authentication transaction.

The confirmation screen displays when:

1. The `redirect_uri` present in the request uses a non-verifiable URI (i.e. a custom URI scheme or a loopback URI).
2. The user has not been prompted with any other screen in the current login transaction (such as when a [consent screen](/docs/get-started/applications/third-party-applications/user-consent-and-third-party-applications) populates for third-party applications, or when MFA is required).

In these cases, the application presents the end user with a confirmation prompt.

<Frame>
  <img src="https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/consent-pompt-uris.png?fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=f550c44532bd9b5bc35b11aa084fb7f2" alt="Measures Against App Impersonation - Confirmation Prompt" width="298" height="408" data-path="docs/images/cdy7uua7fh8z/consent-pompt-uris.png" />
</Frame>

The confirmation prompt is not shown in legacy non-OIDC-conformant flows. To learn how you can apply increased protection for your tenants and applications, review [Adopt OIDC-Conformant Authentication](/docs/authenticate/login/oidc-conformant-authentication).

#### Prompt customization

The confirmation prompt uses your custom branding and configurations defined for existing consent screens used for third-party applications. To learn more, review the Prompts section of [Customize Universal Login Page Templates](/docs/customize/login-pages/universal-login/customize-templates).

<Warning>
  Auth0 **strongly recommends** you do not disable this protection for production. Malicious applications on the device could request `id_tokens` and `access_tokens` without any interaction from the user or other indications that something has happened.
</Warning>

You can configure the confirmation prompt as a global tenant settings  or at the application-level. Application-level settings take precedence over the global tenant-level setting.

**Application-level**

1. [Navigate to Auth0 Dashboard > Applications > Application Settings > Advanced > OAuth](https://manage.auth0.com/#/applications/settings).
2. Scroll to the **Non-Verifiable Callback URI End-User Confirmation** setting.
3. Enable the toggle to activate the prompt or disable the toggle to deactivate the prompt.

<Frame>
  <img src="https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/custom-uri-override.png?fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=3ece95318059136e8c11cb287f78f00f" alt="Auth0 Dashboard>Settings>Advanced" data-og-width="602" width="602" data-og-height="227" height="227" data-path="docs/images/cdy7uua7fh8z/custom-uri-override.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/custom-uri-override.png?w=280&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=b13c5bb1534535d9087d69f5d13d41c3 280w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/custom-uri-override.png?w=560&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=44f69e4d4985d739d4cd9b7e7ad104c8 560w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/custom-uri-override.png?w=840&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=d5fa7d5d7d7ad8b60ba01ad6131e0f73 840w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/custom-uri-override.png?w=1100&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=0afd6aef60d0f468187b8e0bd64fc900 1100w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/custom-uri-override.png?w=1650&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=c416d14edc2447b7b65880dc9072145c 1650w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/custom-uri-override.png?w=2500&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=e3ab2ee530a513a767e5ab8074baff1a 2500w" />
</Frame>

**Global**

1. Navigate to [Auth0 Dashboard > Settings > Advanced](https://manage.auth0.com/#/tenant/advanced).
2. Find the **Non-Verifiable Callback URI End-User Confirmation** setting.
3. Enable the toggle to activate the prompt.

<Frame>
  <img src="https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/enable-non-verifiable-callback.png?fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=b403bd713c44d15d285e6b8778208ca7" alt="Auth0 Dashboard>Tenant Settings>Advanced>Skip Custom URI toggle" data-og-width="500" width="500" data-og-height="241" height="241" data-path="docs/images/cdy7uua7fh8z/enable-non-verifiable-callback.png" data-optimize="true" data-opv="3" srcset="https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/enable-non-verifiable-callback.png?w=280&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=354e71a3485a883411352e6316913544 280w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/enable-non-verifiable-callback.png?w=560&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=10faeab9f985e45c5aed9f4b9fde196d 560w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/enable-non-verifiable-callback.png?w=840&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=d57f8daa2ba6231700ef753013519a84 840w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/enable-non-verifiable-callback.png?w=1100&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=6f6ba4222c3db546de90b0e22f9f2dc8 1100w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/enable-non-verifiable-callback.png?w=1650&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=597000d785250f587e8c257e28820ddd 1650w, https://mintcdn.com/docs-dev-feat-update-styling-docs-for-universal-components/lpTpGPc1qcZmBPU4/docs/images/cdy7uua7fh8z/enable-non-verifiable-callback.png?w=2500&fit=max&auto=format&n=lpTpGPc1qcZmBPU4&q=85&s=20c0a6a0e734a69fa1245c434fdb7914 2500w" />
</Frame>
