Authorization Code retrieval from redirect URI

[bogdanzurac]

I'm trying to use the library in conjunction with a 3rd party OAuth provider. I'm having issues though trying to return the Authorization Code back from the RedirectUriReceiverActivity. I have 2 options the server provides: either use http://localhost as the redirect URI and the Authorization Code will be returned as a query parameter; or use urn:ietf:wg:oauth:2.0:oob as the redirect URI and receive the code inside the web browser title.

Now I have 2 questions:

1. Are you going to add support for retrieving the Authorization Code from the browser title bar? I suppose not, but thought of asking anyway.
2. When the OAuth server redirects the client to http://localhost, the browser obviously says "This site can't be reached", but the authorization service doesn't return the code to the calling app, it just keeps displaying the browser window. I've already added the URI scheme as shown in the sample code below. What seems to be the problem in this case?

Calling the authorization service:

Uri authUri = Uri.parse(URI_AUTH);
Uri redirectUri = Uri.parse("http://localhost");
Uri tokenUri = Uri.parse(URI_TOKEN);
AuthorizationServiceConfiguration authorizationServiceConfiguration =
        new AuthorizationServiceConfiguration(authUri, tokenUri);
AuthorizationRequest authorizationRequest = new AuthorizationRequest.Builder(
        authorizationServiceConfiguration,
        CLIENT_ID,
        AuthorizationRequest.RESPONSE_TYPE_CODE,
        redirectUri)
        .build();
AuthorizationService service = new AuthorizationService(context);
Intent postAuthIntent = new Intent(context, SignInActivity.class);
service.performAuthorizationRequest(
        authorizationRequest,
        PendingIntent.getActivity(context, authorizationRequest.hashCode(), postAuthIntent, 0));

URI scheme:

<activity android:name="net.openid.appauth.RedirectUriReceiverActivity">
      <intent-filter>
           <action android:name="android.intent.action.VIEW"/>
           <category android:name="android.intent.category.DEFAULT"/>
           <category android:name="android.intent.category.BROWSABLE"/>
           <data android:scheme="localhost"/>
      </intent-filter>
</activity>

[WilliamDenniss]

Unfortunately, neither of those options work for mobile apps with in-app browser tabs on Android or iOS. The browser title bar (urn:ietf:wg:oauth:2.0:oob) is a real hack to be honest, that relies on you using either a WebView or have access to the title bar of the browser (e.g. on some versions of Windows).

http://localhost assumes you can start a server, which is a legitimate approach for some desktop apps, but not really on mobile.

Who is the OAuth provider? Perhaps we can reach out to request they add custom URI scheme redirect support? I've already gone through those steps with some providers, and it can be very easy for them to implement if they are willing.

Alternately, as a workaround you may need to host a HTTPS page somewhere to get the redirect from this provider, and then pass it on to your app.

[bogdanzurac]

@WilliamDenniss thanks a lot for answering with a detailed post, this is really helpful.

I was thinking the same on both approaches, but it's nice to have a confirmation on my presumptions. Concerning the OAuth provider, it's a client of ours which provides the OAuth server only for their own apps as far as I've understood, so it isn't a public API per say. I will however let them know about these concerns in order for them to have a proper URI scheme implementation put in place.

Now just to confirm, if in the code example above I use:
Uri redirectUri = Uri.parse("com.example.app");
and
<data android:scheme="com.example.app"/>
Chrome (or other browser) should return the authorization code as soon as the redirect uri is returned (initial URL redirected) from the OAuth server, without any other app side changes, correct?

[tikurahul]

@bogdanzurac FWIW, you can adb port forward your server running on localhost on a mobile device. That might be a good way to get access to your local web server. You can find more information here.

[WilliamDenniss]

@bogdanzurac correct. If you can register a redirect URI with the custom scheme at your provider, it should work as you described (app will get authorization response as an intent). That would be my recommendation, hopefully it's possible to make this minor modification to the authorization server.

The other option is to register a https redirect of your own, which servers a 302 to a custom URI scheme for your app, preserving the query parameters. This is less desirable as it kind of "works around" the intent of the authorization server, but some people use it as a fallback.

[hy9be]

@bogdanzurac Did that work for you?

I tried
Uri redirectUri = Uri.parse("com.example.app"); and data android:scheme="com.example.app"

But the custom tab says: "invalid parameter value for redirect_uri: Missing scheme"

[bogdanzurac]

@hy9be I couldn't switch to a custom URI scheme because the client is a corporation and well... you know how big ass corporations move in regards to changing things... I've been told they will actually consider switching to the new standard, but not so soon. Oh well...

Concerning what I did implement, was the localhost version inside a plain WebView + listening when a URL starting with "localhost" is being loaded. Not pretty, obviously, but hey, what can I do.

[hy9be]

@bogdanzurac Got it. Totally understood the "corporation" part.

[nicktgn]

@bogdanzurac I have exactly the same issue as you did. Could you, please, provide some more details on the implementation of what you've described in your last comment? Would really appreciate some help. Thanks.

[bogdanzurac]

Just use a standard WebView with an extended WebViewClient that overrides onPageFinished(), which checks if the url returned startsWith "http://localhost". That means the OAuth process has finished and returned the authorization code inside the URL param. It's not really much to it.