All geek questions in one place

How to Avoid "Full Action with" OAuth Callback Popups from Google?

I play with OpenID Connect and OAuth, and I want to support several OpenID providers (therefore not only those that are known by AccountManager). However, I ran into this problem.

When you authenticate Google as an installed application, you pass the callback address that is predefined (from Google) to http://localhost . So, I start the OAuth thread by redirecting the Google endpoint as follows:

 String url = "https://accounts.google.com/o/oauth2/auth?scope=https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile&state=%2F&redirect_uri=http%3A%2F%2Flocalhost%3A9999&response_type=code&client_id=000000000000000.apps.googleusercontent.com"; Intent i = new Intent (Intent.ACTION_VIEW); i.setData (Uri.parse (url)); startActivity (i);

Note that I pass redirect_uri as needed (port 9999, which is allowed). I registered an application to respond to this type of download address as follows:

 <data android:scheme="http" android:host="localhost" android:port="9999" />

However, this forces the system to display the β€œFull action with” dialog:

enter image description here

So, since there is nothing on the phone’s port 9999, if the user selects a browser, the error page will be displayed by the browser and the entire authentication flow will be disrupted.

How can i avoid this?

+4
source share
3 answers

Try making the redirect URL a different scheme, for example. app://localhost . All browsers are registered as handlers for http and https , so part of the problem is not solvable. If, however, the redirect URL may have a non-standard scheme, your problem will be easily resolved. Create your own scheme and use it (there are many applications for this, Facebook has fb:// links).

+1
source

Authenticate to the WebView shown directly in your application.

Here is a brief example of how you load the OAuth page and how you detect when the browser tries to redirect your oauth callback. At this point, just grab the token and close the login activity or dialog.

Thus, you do not need to register your application to process the circuit or port, since an external web browser is not used.

 webView = findViewById(R.id.wv); webView.setWebViewClient(new WebViewClient(){ final String cb = "http://your_oauth_callback_uri"; @Override public void onPageStarted(WebView view, String url, Bitmap favicon){ if(url.startsWith(cb)) { view.stopLoading(); Uri uri = Uri.parse(url); String token = uri.getQueryParameter("oauth_token"); // TODO do whatever you need with token } }); webView.loadUrl(uri);

You must do the rest: activity, layout, etc.

Note: this code is taken from my OAuth 1 application, but it should work with your case as well, except that the returned oauth_token parameter may have a different name.

0
source

There is no easy way; Android does not allow one activity to make itself preferable to another to process a given intention, it is always the user's choice. You should use AccountManager or WebView for such an input stream, and not to the browser (see here ). Google is unlikely to be the only OpenID provider that prohibits the use of arbitrary URL schemes as callbacks; I can imagine some vague security reasons for this.

Android users generally expect you to use the AccountManager; what a familiar interface used by many trusted applications. Even if you send them to the browser for work, I suspect that many less technical users will find this surprising and will be concerned about it anyway, although they have the theoretical comfort of the chrome / etc browser that you mention.

If you really want it to work using a browser, you will actually need to run a small HTTP server on a random port number and use this port as a callback (the way the installed OpenID application works should work); not impossible, but not trivial.

0
source

Source: https://habr.com/ru/post/1484639/

More articles:


All Articles