Description
Configuration
- Version: 0.11.1
- Integration: native with Kotlin
- Identity provider: custom
Description
I'm trying to integrate the AppAuth authorization flow by replacing the default browser tab with a custom activity that handles login (& 2FA). The service configuration has two links:
AuthorizationServiceConfiguration(
// authorization endpoint
Uri.parse("https://oauth2.example.it/oauth/auth"),
// token endpoint
Uri.parse("https://oauth2.example.it/oauth/token"),
)I've declared a working AppLink bound to the "authorization endpoint" inside the manifest but the authIntent created by the library contains a package specification that permits only to the selected app to open the intent.
The method that creates the intent is this, in particular, line 565:
intent.setPackage(mBrowser.packageName);effectively disallowing AppLinks to work.
I'm not sure if the reason behind the implementation was relative to security or ease of use but the RFC 8252 has a section (7.2) which state:
[...] When the browser encounters a claimed URI, instead of the page being loaded in the browser, the native app is launched with the URI supplied as a launch parameter. [...]
Thus, it should not be against rules.
In the end, for now, I've found a dirty solution that changes the intent's content:
binding.button.setOnClickListener {
val service = AuthorizationService(this, advancedConfiguration)
val intent = service.getAuthorizationRequestIntent(authorizationRequest)
//
intent.extras?.apply {
val i = getParcelable<Intent>(KEY_AUTH_INTENT) ?: return@apply
i.setPackage(null)
putParcelable(KEY_AUTH_INTENT, i)
}
//
resultLauncher.launch(intent)
}And I'm working at the LoginActivity to correctly integrate the flow (ex. by starting an intent to simulate the last redirect to the RedirectUriReceiverActivity).
Thanks in advice,
Davide.