I am trying to build an android application using Flutter to help my Local Committee find statistics quickly and filter through by using this API I can grab the data I need from EXPA but it requires an access token.
I have been trying for the past three weeks to find the right parameters and the correct URL to send in the HTTP request to get the access token but I never seemed to succeed.
Using the Chrome Dev tool I have learnt that the access token could be acquired from one of the requests sent/received while logging in
I have tried using the webview_flutter with the hope of regenerating those requests and intercept them to be able to grab the access token but for some reasons the widget doesn't return all the requests and the one holding the access token is one of them.
using onNavigationRequest and checking the request headers/body for the access token doesn't seem to work, the specific request I have shown in the image is for some reasons not captured here.
I have also tried the flutter_webview_plugin using the onStateChanged and the onUrlChanged streams but never seemed able to fetch all the requests just like the Dev Tool is able to.
How can I intercept every single HTTP request going through my android app? It's not necessarily to use the widgets I mentioned above, those were my attempts to reproduce the requests I saw in the Dev tool but I couldn't find the one I was looking for.
Related
Please forgive my (perhaps naive) question, I am still a beginner!
I have a website on asp.net core that is essentially a CRUD website. There are some Razor pages and some controllers. When the user is logged in, they can create and update the data they own (through javascript and said controllers).
Login is organised via Cognito's built-in UI. I redirect the user to it with the [Authorize] attribute on certain controller actions. The token (I think this is what it's called?) coming from Cognito is automatically stored in the browser cookie and is passed between the browser and the backend (controllers and Razor pages). In the backend controllers and Razor pages, I have very convenient methods like User.IsAuthenticated(), and can get claims and fetch cognito:username and similar fields.
The website is working well enough.
I am now working on native mobile apps (Android and iOS), and I am wondering how to deal with authorisation in them as well. I want the user to have the same experience in the mobile app as on the website: they would log into the mobile app and see and edit the data they created earlier on the website, and vice versa. I'm not sure how to implement this correctly. I see several options:
Option 1. Use the AWS amplify framework in the apps. I am sure it will work nicely; but how will I then pass the token to my backend controllers? Asp.net core needs it to build this User object, I understand. I think asp.net core stores it in the cookie appropriately named .AspNetCore.Cookies, but I'm not sure as to its format and whether it'll stay stable in the next releases?..
I'm currently reading about JWT bearer tokens, maybe that's the thing that should be used instead of .AspNetCore.Cookies?..
Option 2. I could "pretend" that the mobile app is the same as the browser and send exactly the same requests as my web frontend does. I suppose this sounds very complex - I'd need to store cookies, follow redirects (to the cognito built-in ui, for example) - I don't know if there is a built-in mechanism? However, in this case the app doesn't have anything to do with cognito, talks only with my backend, and is just following redirects. AppAuth states that Authorizing the user occurs via the user's web browser, so perhaps it can be used here?
Perhaps there are other options that I overlooked; I'm almost sure there is a simple solution I just can't see at the moment. Sorry it's all over the place, this is a very new topic for me. Thank you in advance!
I'm stuck with a Not allowed to load local resource: file:///android_asset/www/index.html?code=[code]&state=[state] when the Authentication API, using OpenID Connect standard, is trying to redirect to my local Android application.
When I launch my application, if I am not connected yet, a redirection is performed to an Authentication API which asks for the user credentials. Then, if the credentials were good, the API will perform another redirection to the redirectUri passed in the first redirection (as a query parameter). This redirectUri is the previous file:///android_asset/www/index.html.
I don't know how to configure my app/phone to let a remote application (the Authentication API) redirect to my app after a successful authentication.
There are a couple of options available to accomplish this. Looking at the ones suggested in OAuth 2.0 specification, more specifically the ones assuming an external user-agent.
External user-agent - the native application can capture the response from the authorization server using a (1) redirection URI with a scheme registered with the operating system to invoke the client as the handler, (2) manual copy-and-paste of the credentials, (3) running a local web server, (4) installing a user-agent extension, or by (5) providing a redirection URI identifying a server-hosted resource under the client's control, which in turn makes the response available to the native application.
Option 1:
You configure a redirect using a custom scheme that your Android application registered, this way your application gets called when an external user-agent, the browser, receives a response indicating a redirect to your scheme. Given, there a few Android applications out there :), the scheme should be pretty unique. A recommendation is to use the reverse domain name notation for a domain you own, for example if you owned "app.example.com" the scheme could be "com.example.app".
Option 2:
You redirect somewhere that just shows a pretty page with the code and ask the user to input it manually in your application.
Option 3:
Your application starts a local web server and you configure the redirect to be something along the lines http://localhost:[port]/. Here you there might be issues with port conflicts if multiple applications decide to use the same one.
Option 4:
By installing a user-agent extension you would have code running with the browser and that could communicate the code automatically to your applications, more for desktop scenarios.
Option 5:
You configure a redirection URI that points to some server-side code you host and that your client Android application is aware of so that it can grab the code from that URL.
for much more information on this topic, check: OAuth 2.0 for Native Apps
As a final note, using the file URL scheme will not be an option. Additionally, if you don't want to go full server-side on the options that require some logic on the server, you can accomplish the same using much less lines of code by writing something as a Webtask (be sure to use a custom domain).
Disclosure: I'm an Auth0 engineer.
I have an Android client that needs to request information from my server (using retrofit). The information on my server is updated randomly and can be updated at any moment and I am limited by the fact that I am not allowed to use cloud technologies, everything is to be self hosted. Does this prevent me from using GCM and Firebase? If so, are there more elegant solutions other than calling GET every second in the background?
I am creating an Android app to a page I have on Facebook.
In this app I will show the latest posts (via the Graph API) and some extra data.
I want that the app will give notification when a new post is added to the page in Facebook, is there any way of doing it?
I am new to Android development but I thought that if there is no such option in Facebook API perhaps I can run my app as a service and check the posts regularly and every time I detect a new post my app will give a notification. Will this work? will the user be able to stop me from doing it?
Thanks
Check out the Real-Time Updates feature of the API, https://developers.facebook.com/docs/graph-api/real-time-updates/v2.4:
“The Graph API has a feature called 'Real Time Updates' that enables apps to subscribe to changes in certain pieces of data. When a change occurs, an HTTP 'POST' request will be sent to a callback URL belonging to that app. This makes apps more efficient, as they know exactly when a change has happened, and don't need to rely on continuous or even periodic Graph API requests when changes aren't happening.”
(You will need a server-side component to be able to use those though.)
I have a backend server, and want to provide an SDK for connecting to that backend server. The sdk is going to be built for iOS and Android and will ship as a library separate for those platforms.
The problem is I want to make sure that the requests are sent only using the sdk that I provide. Basically everybody knows that it is possible to monitor WEB requests using proxy applications like Fiddler or Charles proxy. And it is possible to usurp the requests and send those requests manually as many times as one wants.
For my scenario should be made impossible. So I need a way to identify in the backend that the request that I've received is for sure sent from my sdk. How can I achieve this?
EDIT1:
I can guess something like digipasses may be used. For instance when I log into my bank account I get one time password and log in. But that is based on time, and I can not count on the time of device. May be we can reuse the concept.
Thanks for answers!