AppAuth-Android icon indicating copy to clipboard operation
AppAuth-Android copied to clipboard

Published 20 hours ago verified publisher icon openid

AppLink as Authorization Endpoint

Open DavDag opened this issue 3 years ago • 4 comments

Configuration

  • Version: 0.11.1
  • Integration: native with Kotlin
  • Identity provider: custom

Description

I'm trying to integrate the AppAuth authorization flow by replacing the default browser tab with a custom activity that handles login (& 2FA). The service configuration has two links:

AuthorizationServiceConfiguration(
    // authorization endpoint
    Uri.parse("https://oauth2.example.it/oauth/auth"),
    // token endpoint
    Uri.parse("https://oauth2.example.it/oauth/token"),
)

I've declared a working AppLink bound to the "authorization endpoint" inside the manifest but the authIntent created by the library contains a package specification that permits only to the selected app to open the intent.

The method that creates the intent is this, in particular, line 565:

intent.setPackage(mBrowser.packageName);

effectively disallowing AppLinks to work.

I'm not sure if the reason behind the implementation was relative to security or ease of use but the RFC 8252 has a section (7.2) which state:

[...] When the browser encounters a claimed URI, instead of the page being loaded in the browser, the native app is launched with the URI supplied as a launch parameter. [...]

Thus, it should not be against rules.

In the end, for now, I've found a dirty solution that changes the intent's content:

binding.button.setOnClickListener {
    val service = AuthorizationService(this, advancedConfiguration)
    val intent = service.getAuthorizationRequestIntent(authorizationRequest)
    //
    intent.extras?.apply {
        val i = getParcelable<Intent>(KEY_AUTH_INTENT) ?: return@apply
        i.setPackage(null)
        putParcelable(KEY_AUTH_INTENT, i)
    }
    //
    resultLauncher.launch(intent)
}

And I'm working at the LoginActivity to correctly integrate the flow (ex. by starting an intent to simulate the last redirect to the RedirectUriReceiverActivity).

Thanks in advice, Davide.

DavDag avatar Jun 30 '22 12:06 DavDag

Sorry to bother you. Any update on the question?

DavDag avatar Aug 31 '22 11:08 DavDag

Think you're on the right track, though you may be interested in this proposed change https://github.com/openid/AppAuth-Android/pull/622 While I did find the proposal good, I never spend the time to properly review it and integrate it. Your feedback on that PR would be appreciated, and if it works as expected maybe I can set aside some time and integrate it.

agologan avatar Sep 12 '22 18:09 agologan

I'll take the time to evaluate and test the proposal as soon as possible.

DavDag avatar Sep 15 '22 15:09 DavDag

Android contains an intent attribute named "autoVerify" that does exactly what the PR adds.

I do not know if reimplementing the mechanism is the right thing to do. If the PR's author (@fabian-hk) can help us, it would be appreciated.

I propose to integrate what the android developer site suggests.

from the link above:

Android App Links verification When android:autoVerify="true" is present in at least one of your app's intent filters, installing your app on a device that runs Android 6.0 (API level 23) or higher causes the system to automatically verify the hosts associated with the URLs in your app's intent filters.

Please, anyone able to improve my consideration or correct it should speak!

DavDag avatar Sep 16 '22 15:09 DavDag