I'm trying to integrate my android mobile app with SAML authentication service.
I created a webview and call the provider url.
My webview is redirected to the auth form and I fill it with user and password but after that my webview is redirected to a page showing me the following error message:
"Unable to process request due to missing initial state. This may happen if browser sessionStorage is inaccessible or accidentally cleared."
I can't understand how to solve the issue and complete the authentication using the webviews.
I can't find a good example of this authentication using webviews or chrome custom tabs.
You need to enable session storage on the Android Mobile App.
See here on how to enable it: https://www.tutorialspoint.com/how-to-enable-web-view-session-storage-in-android
Related
We are having two application one is deployed in web and secured using msal now we have made another mobile app and we want to access that web application in android mobile app. After successfully authenticating android mobile app i launch web application. It again ask for sign in.
I tried to pass the MSAL Access token in header to webview where website url is loading but nothing changed it again requested for sign in.
Is there a way i can pass MSAL android access token to Web application and access it without again sign in request?
App is in development
Smartphone (please complete the following information):
Pixel
Android 11
-Chrome
2.0+
Stacktrace
No Stack trace.
To Reproduce
Login in mobile app. Open any web app which is msal secured in webview. Pass the access token. even after being part of sso that webapp is asking again sign in
Current State:
I am implementing oAuth Authentication for a flutter app running android and iOS.
For iOS my Authentication process works perfectly. I want to get the user prompted for his user certificate every login. Therefore I pass the parameter prompt=login when getting the authCode.
On Android the certificate is getting cached in the browser, so the authentication is triggered without selecting a certificate again. Even when sending the prompt=login parameter.
I have used a couple of libraries.
flutter_appauth
flutter inappwebview
oauth2
The main problem is that when I use a webview the browser doesnt bring up the cert picker.
When I use e.g. custom chrome tab like in appauth there is no possibility to clear the custom tabs cache or chromes cache on logout.
When I use system browser like in oauth2 library I have also no control over the cache.
I have also tried implementing java code to access the cookiemanager to clear cache, but this also only accesses webviews.
I have experienced when I kill the browser app after logout the cache is getting deleted and I get prompted again.
Any solution on how I can clear the cache on custom chrome tabs, system browser or implement the webview that it brings up the cert picker?
I have an ionic application which I'm developing and deploying on an android device. I'm using angular-auth-oidc-client for user authentication in the app. This is the configuration I have:
Note: The sts server and clientId are omitted for the sake of brevity and they are not relevant.
scope: 'openid profile tino_access',
silentRenewUrl: `${window.location.origin}/silent-renew.html`,
responseType: 'code',
postLogoutRedirectUri: window.location.origin,
silentRenew: true,
silentRenewUrl: `${window.location.origin}/silent-renew.html`,
logLevel: LogLevel.Warn,
postLoginRoute: window.location.origin,
useRefreshToken: true,
I know for sure everything is set up properly because when accessing my mobile app on a web page everything works fine and the authentication goes through properly.
However, when deploying on a mobile device (origin is localhost), after accessing the Keycloak login page and entering the login credentials correctly, there is a request made to the STS server which verifies the tokens. I need this to be sent out to the server, but I want my app to function on the localhost domain. If I set the redirectUrl correctly as the server, then it works but the app is no longer the local app, it is only a mirror of the webpage.
I can see this is some mechanism for storing and checking session tokens, but it's clear why it wouldn't work on a mobile device. Does anyone know of a possible solution/workaround?
Thanks
There are differences between web and mobile OAuth, summarized below:
Web UI logins use the same type of browser window on which normal views are rendered, using a HTTPS callback URL
Mobile app logins use a form of the system browser to trigger sign in, and often a Custom URL scheme is used to receive the response
Some tech stacks attempt to use the same solution for web and mobile. This might work in terms of rendering but it will not work in terms of OAuth. Instead, for a mobile app you need to follow the OAuth for Native apps guidance.
The mobile solution is usually called the AppAuth pattern. To get started with it on Android, maybe start with my Android AppAuth Sample Page.
I'm creating an Android app that has a WebView which accesses my website hosted using Firebase Hosting.
If I sign into the website using email/password credentials and then refresh or navigate to another page, Firebase loses my login information.
I tried to force Firebase to keep my credentials using firebase.auth().setPersistence(firebase.auth.Auth.Persistence.LOCAL) but it throws this error in the WebView console:
Uncaught Error: The current environment does not support the specified persistence type.
As a side note, I tried logging in on other services, such as YouTube and Google to see if it was a browser cache problem, but the session was persisted normally, even after I refreshed the page, navigated or reopened the Android app.
I also tested the Android app using the emulator (running Android 8.0) and a phone (Android 6.0).
Does somebody know what's going on here?
You need to enable DOM storage in your webview as Firebase Auth depends on web storage (localStorage/indexedDB) to store the Auth state.
webview.getSettings().setDomStorageEnabled(true);
Since this issue is about three technologies I'd like to quickly introduce each of them:
node.js: javascript on the server side (consider it my webserver)
PhoneGap: framework that allows me to write Android applications in HTML/Javascript/CSS.
facebook authentication: using everyauth to let my users login with their facebook account
The objective: I need my PhoneGap application to communicate with my server using a REST based protocol. Many of these requests may only be made when the user has logged in to my server, using their Facebook account. Thus, the user needs to login and then go to the logged in state of the PhoneGap application.
The issue: When I setup everyauth for facebook I basically have an URL, like domain.com/auth/facebook which will redirect to Facebook's login "popup". When the user then accepts the login, the server will know, and so far everything is good. The problem is that
the user now has to be redirected to some external URL, while he should simply get back to the PhoneGap application (in a logged-in state)
The PhoneGap app does not retrieve the authentication token, or whether authentication was successful or not, because the login process is done in the external URL domain.com/auth/facebook while the PhoneGap application's HTML is stored on and run from the phone itself
Cause of the issue: the reason this issue appears while it does not for a normal web application, is that the PhoneGap application's HTML files are stored and run from the phone itself while authentication goes through domain.com/auth/facebook, which is considered to be a different domain.
Suggested approach #1: a PhoneGap user has recommended me to use this Android-Facebook plugin for PhoneGap. The issue here is that the server does not act as an authentication middle-man. Thus, the user would have to inform the server of their authentication token instead of the normal approach where the server informs the user of a successful authentication procedure and the corresponding tokens. This seems like a severe vulnerability.
How should I tackle this issue?
With the ChildBrowser plug-in, a PhoneGap app can monitor location changes from the authentication site.
We used this approach to integrate a PhoneGap app with a node.js openid module
I have implemented one solution for Twitter using jsOauth and ChildBrowser (tut./src here) for a PhoneGap / Android app. I know this doesn't include custom registration with a nodejs server; it allows access to Twitter REST only. AFAIK this is the only way to do it currently, that is, have the child browser check each new location to see if it's your app's return-to url, then intervene (close browser window) and go to your own app.
With jsOauth library, the auth token key/secret are stored for you and sent with every request.
Re: security - No expertise here, but discussions conclude this kind of data on one's personal phone are no more at risk than everything else on the phone.
Tut. using PhoneGap / Android Facebook plugin in next on my list. Thanks for link to everyauth!