Is there production support for allowNavigation server config?

[b2zv]

https://capacitorjs.com/docs/config shows that the allowNavigation server configuration can be set in capacitor.config.json:

server?: {
...
...
/**
* Set additional URLs the Web View can navigate to.
*
* By default, all external URLs are opened in the external browser (not
* the Web View).
*
* This is not intended for use in production.
*
* @SInCE 1.0.0
* @default []
*/
allowNavigation?: string[];
};

The comment above says that this configuration is not intended for use in production. Is there a configuration that can be used in production?

Our app uses a oAuth 2.0 authorization code flow with PKCE to authenticate the app's user. When invoked from the app, the WKWebView in iOS will attempt to redirect the view to the auth provider's login UI but this is handled by Capacitor by launching an external browser. This breaks the user experience so we want to configure Capacitor to handle the redirect within the app.

Any recommended solution to this problem is appreciated. Thanks.

[jcesarmobile]

Your app should never navigate out to an external site, specially if you don’t own it. That’s why it’s not intended to be used in production, but you can use it in production if you want.

[b2zv]

Thanks for your response.

I understand the best practice suggested by you but how do I handle the situation where the authentication user experience is offered by Microsoft ActiveDirectory?

Microsoft's OAuth 2.0 Authentication Flow with PKCE is their recommended solution for single page apps. https://docs.microsoft.com/en-us/azure/active-directory-b2c/authorization-code-flow. This becomes part of the app's sign-in experience.

Microsoft does not recommend that apps take the responsibility of managing access tokens etc., so they take this flow to Microsoft's Authorization endpoint, which is an external URL. There could be several URLs that cover all aspects of sign-in, sign-up, password reset etc.

There is a risk of breaking the app if Capacitor stops supporting this configuration all together.

[jcesarmobile]

Capacitor is not going to stop supporting this configuration despite it's not recommended to use it.

But you can use plugins like Capacitor Browser or Cordova's InAppBrowser or Ionic Auth Connect, to navigate to the OAuth server in a separate WebView instead of navigating inside your own app, when you navigate outside of your app in the same WebView all your app context is gone.
And most OAuth providers also allow to navigate to the OAuth site with Safari/Chrome and then go back to the app with an app scheme or smart links/deep links.

[b2zv]

Thanks. I want have UX continuity without leaving the app but I will explore deep linking as well.