AppAuth-Android icon indicating copy to clipboard operation
AppAuth-Android copied to clipboard
verified publisher icon openid

Android task/back stack issue causing communication issues between AuthorizationManagementActivity and RedirectUriReceiverActivity

Open xxyzzzq opened this issue 3 years ago • 1 comments

Checklist:

  • [x] I am using the latest release
  • [x] I searched for existing GitHub issues
  • [x] I read the documentation
  • [x] I verified the client configuration matches the information in the identity provider (or I am using dynamic client registration)
  • [x] I am either using a custom URI scheme or https with App Links for client redirect.
  • [ ] I can reproduce the issue in the demo app (optional)

Configuration

  • Version: 0.11.1
  • Integration: native Java
  • Identity provider: Google

Issue Description

I ran into a situation where I have two activities A and B in separate tasks (A and B). When I try to start using AppAuth from Activity A to request an auth code, some AppAuth activities are launched on the task B, so I ended up landing on Activity B after finishing login. If I use performAuthorizationRequest() with the application context, everything is launched on task B. If I use startActivityForResult(), only the RedirectUriReceiverActivity is launched on task B. Moreover, somehow activities launched with Intent.FLAG_ACTIVITY_NEW_TASK gets launched on my Activity B due to my app setup.

I've tried using the same custom taskAffinity for AuthorizationManagementActivity and RedirectUriReceiverActivity. It did work but custom taskAffinity has security flaw of task hijacking, so it's not an option.

Ideally, I want to start the AuthorizationManagementActivity in a standalone task "C" and do everything in there, and return to the last task once login finished. I tried using an empty taskAffinity to force AuthorizationManagementActivity to start on a task "C", the Chrome custom tab did gets launched in C, but the RedirectUriReceiverActivity will get launched on task B. However since RedirectUriReceiverActivity is not on task C, it fails to deliver the redirect URI to AuthorizationManagementActivity.

Digging further into the AppAuth code, I found that RedirectUriReceiverActivity MUST deliver a intent to the already-running AuthorizationManagementActivity for it to work properly, but the current implementation doesn't seem to guarantee that in all circumstances given that the host app may have various taskAffinity/launchMode setups.

I've tried experimenting to use BroadcastReceiver for communicating between these activities and it seem to work well and achieve my goal. RedirectUriReceiverActivity can be started on another task "D" which can successfully communicate back to AuthorizationManagementActivity via broadcast.

xxyzzzq avatar Jun 23 '22 21:06 xxyzzzq

Hi @xxyzzzq can you please share your implementation for the broadcast receiver

akoueikjc avatar Apr 26 '24 15:04 akoueikjc