Skip to main content
Version: 2.8.x.x RR

Mobile-Only Authentication / Deep Linking Best Practices

Some use cases concerning the mobile-only fallback, also referred to as link authentication, go beyond the usual usage scenarios. Therefore, these use cases are mentioned here in the Appendix section.

info

The following information is only applicable for deep links. If custom URIs are used for link-based authentication none of the information below applies.

Multiple iOS Applications Sharing the Same Deep Linking Domain

In addition to the prerequisites described for the mobile-only feature, you need to consider the following limitation if multiple applications use the same universal link domain and thus share the same Apple App Association File (AASA) on the backend.

In this particular case, configure all applications in the AASA file in a predefined order in the details array. The order of the apps in the details array determines the order in which the iOS system will open the applications when processing the deep link. See also the next code sample:

AASA example - Multiple deep link applications
{
  "applinks": {
    "details": [
      {
        "paths": [
          "<path>"
        ],
        "appID": "<teamID>.<bundleID-1>"
      },
      {
        "paths": [
          "<same_path_as_above>"
        ],
        "appID": "<teamID>.<bundleID-2>"
      },
      ...
    ]
  }
}

The following file shows a working example of an AASA file entry for a specific app.

AASA minimalistic example
{
  "applinks": {
    "details": [
      {
        "paths": [
          "/open"
        ],
        "appID": "ABCDEFGHIJ.ch.nevis.accessapp"
      }
    ],
    "apps": []
  }
}

This is how it works: First, iOS evaluates each path and stops when it finds a positive match. If all applications use the same path as in the example above, the app defined first has the highest priority (and subsequently the app defined last has the lowest priority).

We recommend that you define the application priorities via the details array as described above. As an alternative solution, you could use different universal link domains for different apps (for example, by mapping different nevisFIDO backend instances to different domains via the proxy). This allows defining separate AASA definition files for each individual application.

info

You can find a description of the mobile-only feature prerequisites here: "Out-of-Band Operations Using Push, QR Code, or Links".

Nevis recommends using custom URIs instead of deep links for mobile-only scenarios.