AppAuth-Android icon indicating copy to clipboard operation
AppAuth-Android copied to clipboard
verified publisher icon openid

Issue with Local App SSO

Open jajmo opened this issue 5 years ago • 8 comments

Sorry if the title is misleading, I'm not sure how to phrase this appropriately.

I have an app that launches a URL that is captured by another SSO app on the device. https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AuthorizationService.java#L383 that line, when the browser is set, is causing the URL to open in a browser instead of the SSO app on the device. If I comment out that line (or implement a config option to not set the package name) the URL opening functionality works as expected.

Have I misconfigured something, or is there another way around this without modifying the source?

Thanks!

jajmo avatar Jun 18 '20 18:06 jajmo

Hi there,

I don't think you've misconfigured anything; this library has typically been focused on web-based OAuth2/OIDC flows, and we hadn't yet encountered any major players offering a native intercept that followed the same protocol. So, we had a blind spot to this eventuality and it looks like the current code does not make it easy for you to override the dispatch behavior to allow a non-browser app to act as the authorization service.

Out of interest, which IDP are you integrating with?

I think the simplest "fix" for now would be for you to add a variant of performAuthorizationRequest and prepareAuthorizationRequestIntent to which you supply a base Intent that is either completely untargeted, allowing the user to select which app to use, or targeted specifically to the native authorization app. The library would only modify that intent to supply the parameters (setData with the URI), and dispatch it via the AuthorizationManagementActivity as normal.

You may bump into other issues however depending on how this native app's activity handles the intent - the code in AuthorizationManagementActivity is tuned carefully for the behavior of custom tabs and may produce some unusual back-stack behavior if this implicit contract is violated.

iainmcgin avatar Jun 22 '20 17:06 iainmcgin

I want to open Strava app for authenticating. I came with this approach.

AuthorizationService authService = new AuthorizationService(context, appAuthConfiguration);
Intent intent;
if (isPackageInstalled("com.strava", getReactApplicationContext().getPackageManager())) {
    Intent authIntent = new Intent(Intent.ACTION_VIEW);
    authIntent.setData(authRequest.toUri());
    authIntent.setPackage("com.strava");
    intent = AuthorizationManagementActivity
            .createStartForResultIntent(getReactApplicationContext(), authRequest, authIntent);
} else {
    intent = authService.getAuthorizationRequestIntent(authRequest);
}
startActivityForResult(intent, 0);

r0b0t3d avatar Jun 24 '20 03:06 r0b0t3d

@r0b0t3d Thanks for the suggestion. Using that method, the SSO application does properly intercept the authorization request, however upon returning to the calling application AppAuth throws the error: No stored state - unable to handle response.

jajmo avatar Jun 24 '20 13:06 jajmo

@jajmo is it related to #535?

r0b0t3d avatar Jun 24 '20 15:06 r0b0t3d

@r0b0t3d It could be, but we're trying our best to do this without modifying the AppAuth source code. Our current development environment for the application we're working on includes a patch file to comment out the line of code referenced in the first issue comment.

jajmo avatar Jun 24 '20 15:06 jajmo

yep, above approach do not require to modify the library. You could try to create another intent that match the flow in library without setting packageName

CustomTabsIntent customTabsIntent = authService.createCustomTabsIntentBuilder().build();
customTabsIntent.intent.setData(authRequest.toUri());
Intent intent = AuthorizationManagementActivity
                  .createStartForResultIntent(getReactApplicationContext(), authRequest, customTabsIntent.intent);
startActivityForResult(intent, 0);

r0b0t3d avatar Jun 24 '20 15:06 r0b0t3d

Using that approach I get the same error, with the No stored state message.

jajmo avatar Jun 25 '20 18:06 jajmo

@jajmo for info I think what you're talking about is referred to as 'app2app' or 'app to app' authentication/authorization; OpenID Foundation republished a blog post I wrote about this here:

https://openid.net/2019/10/21/guest-blog-implementing-app-to-app-authorisation-in-oauth2-openid-connect/

and I raised a PR to add support to iOS appauth there:

https://github.com/openid/AppAuth-iOS/pull/549

(It's widely used in the UK & EU when granting 3rd parties authorization to access your bank account data, for complex regulatory reasons.)

Unfortunately I'm not currently familiar enough with AppAuth on Android to offer any insight on solving your problem.

jogu avatar Jun 27 '20 13:06 jogu