Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to handle OAuth URL callbacks with Intent filters if authentication is done with webview?

I am developing an app which uses OAuth for authentication but I have a little problem handling OAuth callbacks.

THE AUTHENTICATION

My app has a webview as the login screen and I am given a url to load the auth form in my webview. Let's say that the url is :

https://myoauthhost.com/oauth/auth?response_type=code&client_id=XXXXXXX&redirect_uri=YYYYYYYY&scope=ZZZZZZZZZZ

and in the auth activity (AuthActivity.java), I have the following :

    String authURL = https://myoauthhost.com/oauth/auth?response_type=code&client_id=XXXXXXX&redirect_uri=YYYYYYYY&scope=ZZZZZZZZZZ
    myWebView.loadUrl(authURL);

in the manifest.xml, I have the following for oauth callback handling :

<activity
            android:name=".AuthActivity"
            android:label="@string/app_name"
            android:screenOrientation="portrait" >

            <intent-filter>
                <action android:name="android.intent.action.VIEW" />

                <category android:name="android.intent.category.DEFAULT" />
                <category android:name="android.intent.category.BROWSABLE" />

                <data
                    android:host="authprovider"
                    android:scheme="auth" />
            </intent-filter>
</activity>

THE PROBLEM

This url when used in the webview (with loadURL() method) redirects to another url containing the REAL OAUTH WEB FROM (that should be loaded in the webview). The problem is that this redirection launches automatically the intent selection in Android : since the URL should be handled by a web browser, Android lets you choose one of the available web browser on the phone to open the url.

Since this is not what I want, I have to include the following code so that the redirection is handled within the webview but does not launch a web browser (or whatever) :

myWebView.setWebViewClient(new WebViewClient());

so with this code, the redirection is handled "within the webview" and I have the login screen displayed.

I can then enter the credentials (e.g : oauth via Twitter) but when the authentication is done, the call back is received but then the activity which is supposed to handle the callback (AuthActivity configured to receive callback in the manifest) is not launched. Instead, I have the webview displaying a message saying that the url callback (in our case : authprovider://auth/XXX?xxx=yyy as configured in the manifest) can not be found.

The reason may be that the following code :

myWebView.setWebViewClient(new WebViewClient());

introduced earlier, tells Android that the webview handles everything. So now, since the callback url is not a web url, it has trouble to handle it and can not even launch the intent which can handle it.

THE QUESTION

How can I solve this problem ? I should be able to let the activity handle the callback but not let the webview try to load it.

any help would be appreciated

thanks in advance

like image 425
kaffein Avatar asked Oct 01 '12 13:10

kaffein


People also ask

What is the use of callback URL in OAuth?

The callback URL typically specifies the URL of an app that is designated to receive an authorization code on behalf of the client app. In addition, this URL string is used for validation.

What is callback URL in authentication?

Callback URLs are the URLs that Auth0 invokes after the authentication process. Auth0 redirects back to this URL and appends additional parameters to it, including an access code which will be exchanged for an id_token , access_token and refresh_token .

How does OAuth callback work?

Your app subscribes to the changes of the web component, and when it detects the callback URL it takes the Authorization Token, destroy the web component, and calls the REST API to get an Access Token, and then access any protected resources.


1 Answers

First of all in your manifest, set these properties to your activity that launches the WebView

android:launchMode="singleInstance" 

and add an intent filter to that as

<intent-filter>
    <action android:name="android.intent.action.VIEW" />
    <category android:name="android.intent.category.DEFAULT" />
    <category android:name="android.intent.category.BROWSABLE" />
    <data android:scheme="oauth-testing" />
</intent-filter>

then in your code when the user clicks on the login button

mReqToken = mTwitter.getOAuthRequestToken(CALLBACK_URL);
WebView webView = new WebView(this);
webView.requestFocus(View.FOCUS_DOWN);
webView.setOnTouchListener(new View.OnTouchListener() {
    @Override
    public boolean onTouch(View v, MotionEvent event) {
        switch (event.getAction()) {
            case MotionEvent.ACTION_DOWN:
            case MotionEvent.ACTION_UP:
            if (!v.hasFocus()) {
                v.requestFocus();
            }
            break;
        }
        return false;
    }
});
webView.loadUrl(mReqToken.getAuthenticationURL());
mainLayout.removeAllViews();
mainLayout.addView(webView);

Here the callback url is
private static final String CALLBACK_URL = "oauth-testing:///";
and you are creating a dynamic webview and displaying to the user. And after logging in the webview is closed and the code comes to the onNewIntent(). You need to implement your functionality after logging in there.

@Override
protected void onNewIntent(Intent intent) {
    super.onNewIntent(intent);
    dealWithTwitterResponse(intent);
}  
private void dealWithTwitterResponse(Intent intent) {
    Uri uri = intent.getData();
    System.out.println("URI=" + uri);
    if (uri != null && uri.toString().startsWith(CALLBACK_URL)) {
        String oauthVerifier = uri.getQueryParameter("oauth_verifier");
        authoriseNewUser(oauthVerifier);
    }
}

I know I have added a lot of code snippet, some of which might not be relevant, but i hope it will help someone someday.

like image 148
Antrromet Avatar answered Oct 11 '22 03:10

Antrromet