How to Allow Apps to Claim "Https" Scheme Uris? (I.E How to Open a Desktop Application from Https Url)

How can I allow apps to claim https scheme URIs? (i.e How can I open a desktop application from https URL?)

Claimed HTTPS schemes are only possible on mobile - via 'universal links' on iOS or 'app links' on Android. It would be nice if it worked for desktop also, but unfortunately that is not the case.

MOBILE CLAIMED HTTPS SCHEME SAMPLES OF MINE

Android Sample
iOS Sample

DESKTOP FUTURE DIRECTION?

I guess your concern is a malware app triggering a login redirect with your desktop app's client id and redirect URI? This has been a concern for a while, though I guess if malware can run you may have bigger problems.

The future solution to this problem is likely to involve Client Attestation Techniques to prove the app's identity BEFORE it is allowed to attempt user authentication, rather than only relying on an owned response URL.

Right now the technology probably does not support what you want, and Custom URI schemes may be the best option.

Allowed OAuth 2.0 Redirect URIs for Native App

For desktop apps the usual thing is to find a free port at runtime, then spin up a loopback server at a URL such as http://localhost:8000, without any path. This listener exists for only one reason, to receive a login response.

In theory you can register http://localhost as the redirect URI for the client and any port will work, though I have very rarely seen that supported by Authorization Servers.

Here is some example code of mine to show how that looks.My app therefore registers three specific redirect URLs, for ports 8001-8003.

You are right that only exact URLs should be registered, to avoid open redirector vulnerabilities. The RFC8252 behaviour for desktop apps and multiple ports is a special case. You can either choose to use it, or register multiple redirect URIs with different ports.

Another option is to use Private URI Schemes for desktop apps (personally I prefer this). Mobile apps should use HTTPS redirect URIs, as the most secure option - this is required for financial-grade apps.

Is it allowed for a Native App client to use any random available port in a redirect URI?

Thanks to the Gary's reply and his link provided, I've found this piece:

The authorization server MUST allow any port to be specified at the
time of the request for loopback IP redirect URIs, to accommodate
clients that obtain an available ephemeral port from the operating
system at the time of the request.

In my original post I was confused by the example utilizing a random available port that made redirect-uri dynamic.
But it turns out, the oauth server must allow any port of redirect-uri that comes from the client as soon as it's on a loopback interface.

Google 400 Error: invalid request Custom scheme URIs are not allowed for 'Web' client type

My guess is that your client is registered incorrectly in Google Cloud Console. A 'WEB' client is typically a server or Javascript application. An iOS app should be registered as an iOS client.

https://developers.google.com/identity/protocols/OAuth2InstalledApp#creatingcred

Is it possible to open custom URL scheme with Google Chrome?

I found the solution that works with Chrome.
I use the IFRAME-way.

Example (with JQuery):

$("body").append('<span id="__protoProxy"></span>');

function queryWord(aWord)
{
 var protoProxy = document.getElementById('__protoProxy');
 if (protoProxy)
 {   
  var word = aWord.replace('"','\"');
  protoProxy.innerHTML = '<div style="display:none;"><iframe src="x-myproto://query?' + word + '"></iframe></div>';
 }
}

queryWord('hello');