openid / appauth-android Goto Github PK
View Code? Open in Web Editor NEWAndroid client SDK for communicating with OAuth 2.0 and OpenID Connect providers.
Home Page: https://openid.github.io/AppAuth-Android
License: Apache License 2.0
Android client SDK for communicating with OAuth 2.0 and OpenID Connect providers.
Home Page: https://openid.github.io/AppAuth-Android
License: Apache License 2.0
Hi,
I'm trying to get this library to work with the Microsoft v2 Authentication Endpoint. I'm running into the following error:
java.lang.RuntimeException: Unable to start activity ComponentInfo{net.openid.appauthdemo/net.openid.appauth.RedirectUriReceiverActivity}: java.lang.UnsupportedOperationException: This isn't a hierarchical URI.
The exception is thrown in RedirectUriReceiverActivity.
The problem is that the Microsoft URI format is like this urn:ietf:wg:oauth:2.0:oob and Uri.getQueryParameter doesn't like it.
Is there any workaround to make it work with this provider?
Thanks for the great work, by the way.
Hi,
I'm imported the project into Android Studio and it doesn't build.
It complains at line 26:
def grgit = org.ajoberstar.grgit.Grgit.open(dir: '.')
What should I do?
Moreover, for every Gradle command, lint is saying "cannot resolve symbol"
OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2.
Section 3.2.2.1, "Authentication Request" specifies that this parameter is REQUIRED for implicit flow authentication requests (those with response type id_token
or id_token token
).
In AuthorizationService::TokenRequestTask::doInBackground(), the URL that is constructed (local variable 'url' inside try block) is missing the port from the request URI. This omission seems to cause FileNotFoundException when connecting to the token endpoint.
If there is no browser at all user would get unexpected ActivityNotFoundException:
android.content.ActivityNotFoundException: No Activity found to handle Intent { act=android.intent.action.VIEW dat=https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=com.googleusercontent.apps.nope:/oauth2redirect&client_id=529788761403-aj9ff2svir6lsqjnck6jnjmqhfop77mk.apps.googleusercontent.com&response_type=code&state=Od4cn-XBtdi3Qdjnl5t7wg&scope=openid profile email&code_challenge=WJOmc7Hs3GcF0FpQ7dUJ3ISZxwETpkSmBods2dgMLr4&code_challenge_method=S256 flg=0x40000000 pkg=com.android.chrome (has extras) }
at android.app.Instrumentation.checkStartActivityResult(Instrumentation.java:1551)
at android.app.Instrumentation.execStartActivity(Instrumentation.java:1422)
at android.app.Activity.startActivityForResult(Activity.java:3375)
at android.app.Activity.startActivityForResult(Activity.java:3331)
at android.support.v4.app.FragmentActivity.startActivityForResult(FragmentActivity.java:843)
at android.app.Activity.startActivity(Activity.java:3546)
at android.app.Activity.startActivity(Activity.java:3514)
at net.openid.appauth.AuthorizationService.performAuthorizationRequest(AuthorizationService.java:173)
at net.openid.appauthdemo.MainActivity.makeAuthRequest(MainActivity.java:143)
at net.openid.appauthdemo.MainActivity.access$100(MainActivity.java:54)
at net.openid.appauthdemo.MainActivity$1.onFetchConfigurationCompleted(MainActivity.java:89)
at net.openid.appauth.AuthorizationServiceConfiguration$ConfigurationRetrievalAsyncTask.onPostExecute(AuthorizationServiceConfiguration.java:325)
at net.openid.appauth.AuthorizationServiceConfiguration$ConfigurationRetrievalAsyncTask.onPostExecute(AuthorizationServiceConfiguration.java:266)
at android.os.AsyncTask.finish(AsyncTask.java:631)
at android.os.AsyncTask.access$600(AsyncTask.java:177)
at android.os.AsyncTask$InternalHandler.handleMessage(AsyncTask.java:644)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:153)
at android.app.ActivityThread.main(ActivityThread.java:5022)
at java.lang.reflect.Method.invokeNative(Native Method)
at java.lang.reflect.Method.invoke(Method.java:511)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1032)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:790)
at dalvik.system.NativeStart.main(Native Method)
Just to gather some changes; when the dynamic client registration is completed (as of #61), is this library ready for v0.3.0 soon?
PR #66 and #67 are contingent on a new version (and should not be merged until that is released).
In connection with a new version, the javadoc hosted at the github pages will also need to be re-generated.
It seems gradle can't find "org.ajoberstar.grgit.Grgit" ?
Error:(132, 0) Cause: repository not found: /Users/cwang/Downloads/AppAuth-Android-master
Open File
OpenID Connect Core 1.0, Section 3.1.2.1, max_age
parameter:
OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE
max_auth_age
request parameter). When max_age is used, the ID Token returned MUST include anauth_time
Claim Value.
OpenID Connect Core 1.0, Section 7.2.1, registration
parameter:
OPTIONAL. This parameter is used by the Client to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration. The value is a JSON object containing Client metadata values, as defined in Section 2.1 of the OpenID Connect Dynamic Client Registration 1.0 specification. The registration parameter SHOULD NOT be used when the OP is not a Self-Issued OP.
OpenID Connect Core 1.0, Section 5.5, claims
parameter:
OPTIONAL. This parameter is used to request that specific Claims be returned. The value is a JSON object listing the requested Claims.
An example Claims request is as follows:
{ "userinfo": { "given_name": {"essential": true}, "nickname": null, "email": {"essential": true}, "email_verified": {"essential": true}, "picture": null, "http://example.info/claims/groups": null }, "id_token": { "auth_time": {"essential": true}, "acr": {"values": ["urn:mace:incommon:iap:silver"] } } }Support "acr_values" OpenID Connect auth request parameter
OpenID Connect Core 1.0, Section 3.1.2.1,
acr_values
parameter:OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the
acr
Claim Value, as specified in Section 2. Theacr
Claim is requested as a Voluntary Claim by this parameter.Authentication state lost while app switching
Hello,
we have integrated this into an openid connect solution without issue really top notch, however we have run into a problem. In essence, our app requires to switch to SMS to get a one time password, during authentication. When we do, we lose the application state and we no longer see the screen for the OTP in the custom tab.Is there a way to force the auth state to be stored and restored upon coming back?
Android account manager support
Will android account manager be supported in future ?
Adding additional IDP
I'm trying to get the demo app up and running against an IDP/OP in my domain (so not Google Sign-In).
How do I specify the redirect URI in idp_configs.xml/idp_configs_optional.xml, such that the authentication response is delivered through an Intent (similar to the case for Google Sign-In)?
The example documentation only shows an HTTP-url as redirect_uri, which I think assumes another web server receiving the response and not the demo app?
Do I need to add another intent filter in the manifest, similar to?AppAuth-Android/app/AndroidManifest.xml
Lines 33 to 38 in c75b8f1
Can't get TokenActivity to work with custom IdP
Hello all,
I've downloaded and run locally mitreid server, and I'm trying to integrate it with this app, following the instructions, but I have issues with TokenActivity, to be more specific I get the snackbar saying:
"Token refresh Failed"
and debugging I found out that there is an "AuthorizationException" whose json is:
{"type":0,"code":3,"errorDescription":"Network error"}The issue is on token request (I debugged it), because i can see the login and the redirect works correctly (I see the app going on the web server apps list), but token won't work.
I don't think it is an issue of a mitre configuration (but it could be?),The grant type is set to: "authorization code" and "refresh", under response type, "code" "token" and "id_token" are enabled.
What else can I do? the token endpoint is correct, but is not working!
Activity net.openid.appauthdemo.MainActivity has leaked ServiceConnection
I've encountered a leak problem. I was using a simulator without Chrome installed. On a Chrome installed simulator the leak won't happen.
This leak was occurred when I hit the back button and while the MainActivity turned into background.
And when I dig a little deeper into the problem I found that the
mBrowserPackage
in theBrowserHandler
was resolved tocom.android.browser
and the return value ofCustomTabsClient#bindCustomTabsService(...)
is false. So the connection is not retained in theBrowserHandler
and whenBrowserHandler#unbind()
is called, nothing is unbind.I've tried to retained the connection even when
CustomTabsClient#bindCustomTabsService(...)
returns false. It seems solve the leak problem, but I'm not sure will there be any side effects.07-06 10:12:45.442 3929-3929/net.openid.appauthdemo E/ActivityThread: Activity net.openid.appauthdemo.MainActivity has leaked ServiceConnection net.openid.appauth.BrowserHandler$1@2206f76 that was originally bound here android.app.ServiceConnectionLeaked: Activity net.openid.appauthdemo.MainActivity has leaked ServiceConnection net.openid.appauth.BrowserHandler$1@2206f76 that was originally bound here at android.app.LoadedApk$ServiceDispatcher.<init>(LoadedApk.java:1092) at android.app.LoadedApk.getServiceDispatcher(LoadedApk.java:986) at android.app.ContextImpl.bindServiceCommon(ContextImpl.java:1303) at android.app.ContextImpl.bindService(ContextImpl.java:1286) at android.content.ContextWrapper.bindService(ContextWrapper.java:604) at android.support.customtabs.CustomTabsClient.bindCustomTabsService(CustomTabsClient.java:60) at net.openid.appauth.BrowserHandler.bindCustomTabsService(BrowserHandler.java:86) at net.openid.appauth.BrowserHandler.<init>(BrowserHandler.java:61) at net.openid.appauth.AuthorizationService.<init>(AuthorizationService.java:101) at net.openid.appauthdemo.MainActivity.onCreate(MainActivity.java:63) at android.app.Activity.performCreate(Activity.java:6237) at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1107) at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2369) at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2476) at android.app.ActivityThread.-wrap11(ActivityThread.java) at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1344) at android.os.Handler.dispatchMessage(Handler.java:102) at android.os.Looper.loop(Looper.java:148) at android.app.ActivityThread.main(ActivityThread.java:5417) at java.lang.reflect.Method.invoke(Native Method) at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726) at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)
Error when no default browser is defined
I've found what seems to be an error on the
BrowserPackageHelper
when no default browser is defined.
I get ajava.lang.NullPointerException
on theisFullBrowser
method because theResolveInfo
is not null however theResolveInfo.filter
is null.
This seems to be the documented behaviour for thePackageManager.resolveActivity
method when more than one option exists (i.e. no default)- "If multiple matching activities are found and there is no default set, returns a ResolveInfo containing something else, such as the activity resolver."Support JWT decoding and validation
Support validating JWTs and extracting their claims as a map. This will require the ability to either dynamically use the
jwks_uri
keys provided by the provider's discovery document, or a set of acceptable keys provided by the developer.Support "request_uri" OpenID Connect auth request parameter
OpenID Connect Core 1.0, Section 6.0,
request_uri
parameter:OPTIONAL. This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters.
java.io.FileNotFoundExcetion from library code
I am trying to do openID connect Auth, successfully got AuthorizationResponse, but getting:
AuthorizationException: {"type":0,"code":3,"errorDescription":"Network error"}
caused byjava.io.FileNotFoundException: http://api.my_addr.com:8080/connect/token
on line #154 of AuthorizationService.class
is = conn.getInputStream();
I found answer on stackoverflow (http://stackoverflow.com/questions/9365829/filenotfoundexception-for-httpurlconnection-in-ice-cream-sandwich), but I cannot edit library code.Support "login_hint" OpenID Connect auth request parameter
OpenID Connect Core 1.0, Section 3.1.2.1,
login_hint
parameter:OPTIONAL. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the
phone_number
Claim. The use of this parameter is left to the OP's discretion.Support "id_token_hint" OpenID Connect auth request parameter
OpenID Connect Core 1.0, Section 3.1.2.1,
id_token_hint
parameter:OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as
login_required
. When possible, anid_token_hint
SHOULD be present whenprompt=none
is used and aninvalid_request
error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as anid_token_hint
value.If the ID Token received by the RP from the OP is encrypted, to use it as an
id_token_hint
, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as theid_token_hint
value.Handle multiple requests to initializeAuthorizationRequest gracefully.
Multiple requests to the
AuthorizationService
result in multiple instances of theCustom tabs
from opening. We should handle requests more gracefully and prevent requests with the samerequestId
from going through.Support "display" OpenID Connect auth request parameter
OpenID Connect Core 1.0, Section 3.1.2.1, "display" parameter:
OPTIONAL. ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are:
page
The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If thedisplay
parameter is not specified, this is the default display mode.
popup
The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.
touch
The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.
wap
The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.Handle authorization errors in AuthState
An outstanding TODO for handling authorization errors exists in
AuthState.update
. As it stands, AuthState does nothing when an error is reported.Support "prompt" OpenID Connect auth request parameter
OpenID Connect Core 1.0, Section 3.1.2.1,
"prompt" parameter:OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:
none
The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.
login
The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typicallylogin_required
.
consent
The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typicallyconsent_required
.
select_account
The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typicallyaccount_selection_required
.Activity didn't handle redirect.
I'llconfigure my Activity Manifest with net.openid.appauth.RedirectUriReceiverActivity according with guide. But after authorization is complete and callback page is shown in system browser onCreate isn't called. And there is no possibility to check data recevied from oAuth. Can it be caused by such error - "E/Surface: getSlotFromBufferLocked: unknown buffer: 0xa214d070" which i see in logs after auth initial request is perfromed? Thank you
Clarification of instructions for "Configuring Google Sign In"
I followed the instructions in app/README.md for configuring the demo app included in this repository with Google Sign-In and found some things that maybe could be made clearer:
- The enabling Google services page for Google Sign-In expects the SHA1 fingerprint of the certificate, while the command shown for extracting fingerprints picks SHA256 (via
grep SHA256
). The command from e.g. https://support.google.com/cloud/answer/6158849?hl=en#android should be shown/linked instead.- There is no mention of having to change the value of
google_enabled
in res/values/idp_configs.xml totrue
(kind of obvious, but I missed it the first time I edited the file).Add idp config string "client_saecre
I need to add a "client_secret" when I'm doing the token request. How can I add this?
Verify that space-delimited lists are ASCII-only
OAuth2 and OpenID Connect make use of space-delimited string lists in a number of parameters (e.g. scope, prompt). While we currently check that these strings are null or not empty, we are not checking that they are ASCII-only.
Losing ID token during token refresh
Consider a scenario where the client requests an ID token, access token and refresh token on their authorization request. This is granted, and after exchange of the authorization code, they receive the requested tokens. An IDP can freely choose different expiration times for access tokens and ID tokens, so let's say that an ID token lasts 24 hours, and an access token lasts 1 hour.
After an hour of using the tokens with the help of
AuthState.performActionWithFreshTokens
, the access token expires and we request fresh tokens. The received token response replaces the original token response, which contained the (still valid) ID token. This response may or may not contain a new ID token; this is entirely up to the behavior of the IDP - I can't see anything in the spec that would require a refresh exchange to always yield the same tokens as the original code exchange.So, the original ID token is lost when the token response is replaced, and there may not be a new one in the new token response to replace it. Should AuthState be storing token values independently of the authorization and token responses, to avoid this scenario?
Support Hybrid Flow
Are there any plans to support the Hybrid Flow described in section 2 of http://openid.net/specs/openid-connect-implicit-1_0.html?
Library difficult to use/integrate
Apologize for the generic issue but would love to see the library and sample like other android specific libraries from google open source like google-services/signin
or developer relations library like easypermissions (for non-official ones)The talk and the premises addressed here are bleeding edge (custom tabs, PKCE etc.) but setting it up is a huge pain in the ass.
Is adding this in firebase authentication on the roadmap?
Android for Work behavior when no browser is available in the work profile
Need to validate what happens with AppAuth if you try and do an authorization request in a Work profile without a browser being present in the Work profile.
Generally speaking if you fire a browser intent in a Work profile with no browser, it will open the personal browser, and the OAuth flow will not complete successfully (intents from
work->personal
are one-way and can't be returned).Ideally we would catch this condition before firing any intents.
Webview possibility
Hi!
When the user doesn't have the Chrome app the Custom Tab will open the browser by default making the application UI ugly in my opinion. Is there a chance that I can open the login url on a webview? I know that the instructions says no but I still want to know if there's a chance.Logout support
Hello.
I managed to include Keycloak logout support in my company. What I did was copy the following files:
- AuthorizationService => LogoutService
- AuthorizationRequest => LogoutRequest
- RedirectUriReceiverActivity => LogoutUriReceiverActivity
- PendingIntentStore => PendingLogoutIntentStore
So basically I used the same CustomTab/Browser authorization mechanism but for logout. I'm aware open id connect logout is still a draft. However it seemed to me that the code is not generic enough to allow "CustomTab commands" other than login.
What I want to know is if this is correct and if it's not what can I do to avoid copy/paste?
Google auth example not working
I'm trying to get the demo project working to authenticate me with Google. I have two problems:
- The AppAuth-Android framework isn't sending the required
client_secret
parameter when it makes its token request. I can fix this from the client side by passing in an additional_parameters map.- The response from Google includes an
id_token
but not arefresh_token
. Then when I press the "View user info" button that appears onTokenActivity
it crashes because of an invalid state exception - it doesn't have the necessary refresh tokenAny ideas?
Support "claims_locales" OpenID Connect auth request parameter
OpenID Connect Core 1.0, Section 5.2,
claims_locales
parameter:OPTIONAL. End-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
Support "ui_locales" OpenID Connect auth request parameter
OpenID Connect Core 1.0, Section 3.1.2.1,
ui_locales
parameter:OPTIONAL. End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.
AuthorizationRequest prompt value is not deserialized correctly
The prompt value is serialized but not deserialized, resulting in the loss of the original value.
Registration endpoint is optional
Maybe you should replace the check at line
https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AuthorizationServiceConfiguration.java#L169with
JsonUtil.getUriIfDefined(json, KEY_REGISTRATION_ENDPOINT));
Add idp config string "client_secret"
I need to add a "client_secret" when I'm doing the token request. How can I add this?
Implicit grant type supported?
Question:
As far as I can see from the documentation, the implicit grant type for OAuth 2.0 does not seem to be supported yet. Is my understanding correct?AuthorizationService leaks an Activity due to a lingering service connection sometimes.
Use Application.ActivityLifecycleCallbacks.html to cleanup the service connections
onStop
. We can also investigate if we should useonPause
.Add tests that use the OpenID Connect RP Test Suite
Documentation is at https://dirg.org.umu.se/static/oictest/how_to_use_rp_test.html
The code is at https://github.com/rohe/oidctest/Notes:
- Can only test RPs that can use OP configuration discovery information
- Path specifies behavior of test OP
- Uses IP address of RP as correlation handle for requests
- Logs at /log/
Support sending auth requests as a JWT using the "request" parameter
OpenID Connect Core 1.0, Section 6.0,
request
parameter:OPTIONAL. This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value, as specified in Section 6.1. It represents the request as a JWT whose Claims are the request parameters.
It will likely be preferable to support this as a flag on the authorization request object rather than a parameter in the conventional way.
Authorization Code retrieval from redirect URI
I'm trying to use the library in conjunction with a 3rd party OAuth provider. I'm having issues though trying to return the Authorization Code back from the RedirectUriReceiverActivity. I have 2 options the server provides: either use http://localhost as the redirect URI and the Authorization Code will be returned as a query parameter; or use urn:ietf:wg:oauth:2.0:oob as the redirect URI and receive the code inside the web browser title.
Now I have 2 questions:
- Are you going to add support for retrieving the Authorization Code from the browser title bar? I suppose not, but thought of asking anyway.
- When the OAuth server redirects the client to http://localhost, the browser obviously says "This site can't be reached", but the authorization service doesn't return the code to the calling app, it just keeps displaying the browser window. I've already added the URI scheme as shown in the sample code below. What seems to be the problem in this case?
Calling the authorization service:
Uri authUri = Uri.parse(URI_AUTH); Uri redirectUri = Uri.parse("http://localhost"); Uri tokenUri = Uri.parse(URI_TOKEN); AuthorizationServiceConfiguration authorizationServiceConfiguration = new AuthorizationServiceConfiguration(authUri, tokenUri); AuthorizationRequest authorizationRequest = new AuthorizationRequest.Builder( authorizationServiceConfiguration, CLIENT_ID, AuthorizationRequest.RESPONSE_TYPE_CODE, redirectUri) .build(); AuthorizationService service = new AuthorizationService(context); Intent postAuthIntent = new Intent(context, SignInActivity.class); service.performAuthorizationRequest( authorizationRequest, PendingIntent.getActivity(context, authorizationRequest.hashCode(), postAuthIntent, 0));
URI scheme:
<activity android:name="net.openid.appauth.RedirectUriReceiverActivity"> <intent-filter> <action android:name="android.intent.action.VIEW"/> <category android:name="android.intent.category.DEFAULT"/> <category android:name="android.intent.category.BROWSABLE"/> <data android:scheme="localhost"/> </intent-filter> </activity>
AuthorizationServiceConfiguration.fetchFromIssuer double escapes the well known configuration URL
AuthorizationServiceConfiguration.fetchFromIssuer("https://accounts.google.com")
fails with the followingException
.
Caused by: java.io.FileNotFoundException: https://accounts.google.com/.well-known%2Fopenid-configuration
Detecting user initiated closing of the authorization flow.
Is there a way to determine if the user closed the authorization flow, either via the close button on the chrome custom tab, or by hitting the android back button.
I'm trying to implement a re-auth flow in case of token refresh failure. If that happens, i'd like the user to reauth and if successful stay where they are. If they close it themselves, i want to just close all the open activities on the app.
Can the code handle app process death while the user is in a web browser in front?
I should preface this by stating that I'm only looking at this library as sample code (for the "modernized" OAUTH flow), and have no plans to actually use it.
It's not apparent to me if the sample app and the library would be able to handle this scenario:
1 - User initiates approval flow (the initial stage where "this app would like to know your email, name, ...")
2 - The app makes a
PendingIntent
forTokenActivity
and the library stores it inPendingIntentStore
3 - Chome (or some other browser) comes up in front of the app, user starts interacting with it
4 - Android kills the app which is now in background (memory pressure, whatever).
PendingIntentStore
and everything in it is gone5 - User finally presses "Agree", the browser fires the "custom scheme intent"
6 - Android creates a new process for the app and launches
RedirectUriReceiverActivity
And now:
7 -
PendingIntentStore
will not have the original intent andgetOriginalRequest
insideRedirectUriReceiverActivity
will return null and the subsequent logic for handling the authorization code will fail.That is, unless I'm missing something and
MainActivity
(which was in front when Chrome with the authorization screen popped up) or something else is going to re-create the original pending intent and register it inPendingIntentStore
beforeRedirectUriReceiverActivity
needs to use it.Another interesting case is the user changing the device's orientation while on the approval screen in the web browser. Then Android may destroy and re-create
MainActivity
and that, from looking at the code, will launch a whole new "flow" for approval.Recommend Projects
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
Recommend Topics
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web
Some thing interesting about web. New door for the world.
server
A server is a program made to process requests and deliver data to clients.
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization
Some thing interesting about visualization, use data art
Game
Some thing interesting about game, make everyone happy.
Recommend Org
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
Jobs
Jooble