diff --git a/modules/oauth/src/main/LegacyClientApi.scala b/modules/oauth/src/main/LegacyClientApi.scala
index bbc07ce985..ef099d6de2 100644
--- a/modules/oauth/src/main/LegacyClientApi.scala
+++ b/modules/oauth/src/main/LegacyClientApi.scala
@@ -30,6 +30,8 @@ object LegacyClientApi {
     override def toString                 = "ClientSecret(***)"
   }
 
-  case object MismatchingClientSecret extends Protocol.Error.InvalidGrant("fix mismatching client secret (or update to pkce)")
-  case object ClientSecretRequired extends Protocol.Error.InvalidRequest("client_secret required (or update to pkce)")
+  case object MismatchingClientSecret
+      extends Protocol.Error.InvalidGrant("fix mismatching client secret (or update to pkce)")
+  case object ClientSecretRequired
+      extends Protocol.Error.InvalidRequest("client_secret required (or update to pkce)")
 }
diff --git a/modules/oauth/src/main/Protocol.scala b/modules/oauth/src/main/Protocol.scala
index c8697d588e..ecf564b9b4 100644
--- a/modules/oauth/src/main/Protocol.scala
+++ b/modules/oauth/src/main/Protocol.scala
@@ -90,7 +90,24 @@ object Protocol {
         .parseOption(redirectUri)
         .toValid(Error.RedirectUriInvalid)
         .ensure(Error.RedirectSchemeNotAllowed)(url =>
-          List("http", "https", "ionic", "capacitor").has(url.scheme)
+          List(
+            // standard
+            "http",
+            "https",
+            "ionic",
+            "capacitor",
+            // bc
+            "squareoffapp",
+            "anichess",
+            "lichessmac",
+            "chessrtx",
+            "chesscomopse",
+            // whitelist (consider automating)
+            "no.rieck.chess.dgt",
+            "net.developerfluid.darkknight",
+            "com.guykn.chessboard3",
+            "com.georgdotorg.catur"
+          ).has(url.scheme)
         )
         .map(RedirectUri.apply)