We’re developing a mobile application using Trello API and we’re implementing authentication on the app. We are trying to redirect to our app scheme for the return url but we cannot specify on Allowed Origins something like app://return_url at https://trello.com/app-key, where app is the scheme registered on the system for our app.
I think it’s similar to the previous topic, but I would like to know if you are going to allow custom origin schemes on Trello API.
For my apps I use a simple AWS lambda via AWS API Gateway that does the OAUTH dance and then my lambda redirects to the app-specific URL… The secret is held by this lambda and is never exposed.
@selim13@bentley Unless I’m missing something (which is entirely possible!), you may want to think twice before allowing non-https redirects since it might encourage people to embed the OAUTH1 secret in an app, which is a massive vulnerability…
Thanks @dmehers. Yes that’s the solution we’ve implemented. And yes, it’s a risk to have the secret on the app. For the moment we have an iOS app and we have some secrets on the app, but never on the code . Thanks. For the moment we’ll continue with the service as you propose.