Although you are using Auth0, this appears to be the same issue you will face with plain JavaScript-based OAuth when installed on devices. Your InAppBrowser is being redirected to its origin, which is a file-based URL, by the remote auth provider, which is not allowed (possible security risk). For devices, you need to instead call the OAuth provider in a new (“_blank”) window, then handle that window’s loadstart event, parsing the URL before closing it. In that case the file URL won’t matter since the window will be closed before it actually tries to load the file. So users never actually leave the original window; the auth redirect happens in the _blank window.
I previously posted a reply on this topic with some sample code:
Also, Nic Raboy has a good blog post on the subject (using Facebook as provider) here:
hope this helps.