Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Android example for Instagram #8

Open
nikthakkar opened this issue Jun 16, 2017 · 3 comments
Open

Android example for Instagram #8

nikthakkar opened this issue Jun 16, 2017 · 3 comments

Comments

@nikthakkar
Copy link

It would be great if we can have a example build for an Android app so that the best practices are followed in implementing other OAuth providers.
Thanks.
@nicolasgarnier
Copy link
Contributor

To do this the server side code is already implemented. See this part of the code for the auth redirect:
https://github.com/firebase/custom-auth-samples/blob/master/instagram/app.js#L119-L126

And this for the code exchange
https://github.com/firebase/custom-auth-samples/blob/master/instagram/app.js#L133-L148

Basically the Android/iOS native app has to follow this flow:

  1. Generate a random Cryptographic nonce and save it to memory to check later.
  2. Send the user to the /instagram-mobile-redirect?state=<nonce> URL of the server (use the nonce generated in step 1) in a Chrome Custom tab (or equivalent in iOS).
  3. On the browser, the user is redirected to the Instagram sign-in page and is asked to grant access to your app. Once the user has gone through the auth flow (he granted or denied access to the app) he is redirected to a custom scheme URI instagram-sign-in-demo://instagram-mobile-callback?code=<code>&state=<nonce> the app needs to intercept this URI (i.e. in android add an intent filters for incoming links with custom scheme URI) and read the code and state URL parameter values.

    PS: you should change the custom scheme on this line to have your own.

  4. Check that the nonce in the state parameter equals the one saved in memory at step 1 to avoid session fixation attacks.
  5. Send an HTTP request to the /instagram-mobile-exchange-code?code=<code>, this will return the Firebase custom auth token that you can use to sign in your user to Firebase.

@nicolasgarnier
Copy link
Contributor

@bojeil-google in case he has anything else to add or other techniques he wants to discuss.

@bojeil-google
Copy link

Seems reasonable. A few recommendations:

  1. consider hashing the nonce when sending it to the instagram auth endpoint and store the plain version on the app.
  2. At end of the flow pass the plain stored version. On the token endpoint, you would hash it and compare it with the one returned from instagram. This makes it harder for an app that intercepts the initial redirect to get the original nonce.

On Android, consider using FDL (Firebase Dynamic Links) links to redirect back to the app for additional security. As custom schemes in android are less secure since they don't have the controlled and regulated ecosystem that Apple has and any app can claim a custom scheme.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nicolasgarnier @bojeil-google @nikthakkar