custom-auth-samples icon indicating copy to clipboard operation
custom-auth-samples copied to clipboard

Published 20 hours ago verified publisher icon FirebaseExtended

Android example for Instagram

Open nikthakkar opened this issue 8 years ago • 3 comments

It would be great if we can have a example build for an Android app so that the best practices are followed in implementing other OAuth providers. Thanks.

nikthakkar avatar Jun 16 '17 06:06 nikthakkar

To do this the server side code is already implemented. See this part of the code for the auth redirect: https://github.com/firebase/custom-auth-samples/blob/master/instagram/app.js#L119-L126

And this for the code exchange https://github.com/firebase/custom-auth-samples/blob/master/instagram/app.js#L133-L148

Basically the Android/iOS native app has to follow this flow:

  1. Generate a random Cryptographic nonce and save it to memory to check later.
  2. Send the user to the /instagram-mobile-redirect?state=<nonce> URL of the server (use the nonce generated in step 1) in a Chrome Custom tab (or equivalent in iOS).
  3. On the browser, the user is redirected to the Instagram sign-in page and is asked to grant access to your app. Once the user has gone through the auth flow (he granted or denied access to the app) he is redirected to a custom scheme URI instagram-sign-in-demo://instagram-mobile-callback?code=<code>&state=<nonce> the app needs to intercept this URI (i.e. in android add an intent filters for incoming links with custom scheme URI) and read the code and state URL parameter values.

    PS: you should change the custom scheme on this line to have your own.

  4. Check that the nonce in the state parameter equals the one saved in memory at step 1 to avoid session fixation attacks.
  5. Send an HTTP request to the /instagram-mobile-exchange-code?code=<code>, this will return the Firebase custom auth token that you can use to sign in your user to Firebase.

nicolasgarnier avatar Dec 01 '17 14:12 nicolasgarnier

@bojeil-google in case he has anything else to add or other techniques he wants to discuss.

nicolasgarnier avatar Dec 01 '17 14:12 nicolasgarnier

Seems reasonable. A few recommendations:

  1. consider hashing the nonce when sending it to the instagram auth endpoint and store the plain version on the app.
  2. At end of the flow pass the plain stored version. On the token endpoint, you would hash it and compare it with the one returned from instagram. This makes it harder for an app that intercepts the initial redirect to get the original nonce.

On Android, consider using FDL (Firebase Dynamic Links) links to redirect back to the app for additional security. As custom schemes in android are less secure since they don't have the controlled and regulated ecosystem that Apple has and any app can claim a custom scheme.

bojeil-google avatar Dec 01 '17 17:12 bojeil-google