We have an application for embedded Android-based device, it uses WebView and inside it we use Google OAuth 2 to login to the app. Unfortunately Google will soon block OAuth 2 inside WebView, and we have lots of restrictions:
The device doesn't have Google Services installed, so probably no 'official' way of logging in would work (or maybe any of them would work without Google Services?)
We can't just invoke Android browser to do login, because it shows address bar, which would allow the user to surf the internet, which we can't allow
We don't fully control the software installed on the device: can't install Google Services, update Android version, install Google Chrome, etc..., we can just update our app.
What else could we do having those restrictions?
Implementation through a browser:
1) Register custom URI scheme (How to implement my very own URI scheme on Android), for example, app-oauth2://
2) Make access request in user's browser
https://accounts.google.com/o/oauth2/v2/auth?
scope=...
access_type=offline&
include_granted_scopes=true&
state=state_parameter_passthrough_value&
redirect_uri=http://example.com/oauth2-handler&
response_type=code&
client_id=...
3) If user accept or denied requested rights in the confirmation dialog, it will be redirected to redirect_uri (http://example.com/oauth2-handler) with some params
4) On the side of redirect_uri handler (http://example.com/oauth2-handler), mare a redirect to custom URI scheme with params:
Success: app-oauth2://?state=state_parameter_passthrough_value&code=...&scope=...#
Failure: app-oauth2://?error=access_denied&state=state_parameter_passthrough_value#
5) In your app you can parse URI scheme app-oauth2:// from option 4 and receive the code for future usage or error for displaying to the user.
As per the problems on your side it would be best to open an Intent from within the App targeted towards the sign in Weburl [this won't trigger up address bar link]
Refer to this stackOverflow page
how to open "Add a Google Account" activity using intent?
now you may use Shared preferences to store the Authentication data for further logins [ if the requirements of the app permits it.]
https://developer.android.com/reference/android/content/SharedPreferences.html
You need to use OAuth Web services for implementing a solution based on your needs.
Reference link: https://developers.google.com/+/web/api/rest/oauth
Here is a sample github project that is using OAuth 2 web service for logging into Twitter. You can take help from it for consuming the Google's OAuth2 web services in your Android Application.
Repository link:
https://github.com/sathify/tagpulse
Web service consumption screen link:
https://github.com/sathify/tagpulse/blob/master/android/src/tag/pulse/main.java
I hope this helps.
There is a library that supports Android 1.5 and higher for Google OAuth 2:
Sample code found here:
https://github.com/google/google-api-java-client-samples/blob/master/oauth2-cmdline-sample/src/main/java/com/google/api/services/samples/oauth2/cmdline/OAuth2Sample.java
Related
I'm trying to setup deep links from a Facebook Ad to an app that I do not own (Shopee). Shopee does not provide any facility/guides to deep-link to them at the moment. I've tested that the app has properly setup deep linking on Android, i.e. clicking the link https://shopee.ph/Korean-Mini-Cute-Sling-Bag-i.30650129.2385916193 on Slack or Gmail properly opens the Shopee app.
Is it possible to make deep links work on Facebook for apps that you do not own? So far, I've tried doing the steps detailed in https://developers.facebook.com/docs/app-ads/deep-linking/. However, I don't know where to get some of the platform settings needed by Facebook:
iOS
Bundle ID - where can I get this?
iPhone Store ID - Seems this can be easily taken when visiting the app store. I can get some of the details from https://shopee.ph/apple-app-site-association as well.
iPad Store ID - Similar to iPhone Store ID I guess.
Shared Secret - I'm someone who has no experience with iOS and Android programming. I'm afraid this setting is something that I couldn't get?
Android
Google Play Package Name - Should be com.shopee.ph
Class Name - I think this can be known by going through the app's apk/files
Key Hashes - Can this be taken from the app's apk/files as well?
I tried compromising by linking the Facebook ad to my website that has deeplinks. But clicking the links will just redirect Facebook's webview to the product's web info rather than opening the app.
I guess this question boils down to whether it's possible to get the app's Shared Secret for iOS and the Key Hashes for Android.
Any response will help me go to the right path or end the path altogether. Thanks.
Sorry, but if you don't own the app then you shouldn't possess shared secret and key hash of the app.
Shared Secret and Key hashes both are something that is very specific to the app created. It is mostly controlled by the app owner in case you need it you have to get that transferred from the app owner. But I doubt anybody will do that.
Also, this is some kind of hack that you are doing this should be definitely avoided without permission from the app owner.
If you are the owner then for
- Android you can try this url.
Have you tried with Android Intents? They can directly link to an app (including deeplink information). Of course you wouldn't now if its installed through adds beforehand. Firebase Dynamic Links solves that problem where you can decide to link to website or Play/App Store as fallback. They also open the native app from facebook browser (and others) and use Android Intents under the hood.
Think you can't use Firebase Dynamic Links for an app you don't own. But if redirecting to your own website is an option maybe you can implement a similar mechanic.
Here is the chrome documentation for Android Intents:
https://developer.chrome.com/multidevice/android/intents
Adjust also has a summary article about deep linking, covering Intents and iOS:
https://www.adjust.com/blog/dive-into-deeplinking/
As your expected behavior to open app but now it will just redirect Facebook's web view to the product's web. Unfortunately it is not currently possible to directly launch a third-party app from within the iOS Facebook app. This is a known issue that Facebook has essentially written off as wontfix. This is still possible in the Android Facebook app, but it's unfortunate they haven't been more transparent about the change to the iOS version because there is quite a bit of confusion about it.
But you cna do the same thing using services like Branch.io get around this by implementing a judicious combination of App Links, URI schemes, and iOS Universal Links. Essentially what you need to do is open a page in the webview and then have a button or other user-driven CTA event that launches the app from there. It's an extra step for the user, but currently the best workaround. If you just want to be able to post a link that goes into your app when it is installed and otherwise goes to a webpage (or the App/Play Store), then Branch links are definitely your simplest solution.
The code works properly from dev portal of microsoft. But can anyone please tell me how it should behave in following use case
Consider two apps: App1 and App2
I have developed same code and installed both apps simultaneously
App1 as launched first will ask me credentials for the webview. Thats fine. as I have not cache or already logged in till date.
Once I log in successfully, The apps works properly as auto login
Now when I open App2, it still throws me Login page. Ideally it should take cache of App1 and auto login.
Please note: I have provided same 'shared id' in both apps in manifest
Please let me know about thus as i am stuck with internal Single Sign on issue since long
I see you have tagged the question with ADAL, so I'll assume that's the library you're using. ADAL uses webviews to prompt for sign in. Webviews in Android do not share much state between apps, and are pretty much completely sandboxes (isolated and do not share session cookies, etc).
Now, you most definitely can achieve SSO for Android using ADAL, you have 2 options:
Brokered SSO
Using a broker application, like the Microsoft Authenticator, the end user basically signs in here such that they're able to maintain a session inside the Broker's sandbox. This allows any app that signs in Azure AD users to share state. The article linked above explains how to enable your app to use the broker.
Non-Brokered SSO
You can configure SSO between all of the apps you own. This means an end user will get SSO between App 1, App 2, App N, but not necessarily another App in the Azure AD ecosystem. The article linked above explains how to enable your app to use non-brokered SSO.
Bonus Option: v2 with MSAL
I said earlier ADAL uses webviews for sign in, there's another way to do it that the Microsoft Authentication Library (MSAL) supports using the system's browser. Quite simply, this uses the Chrome or a Chrome custom tab browser on the device rather than the in-app webview. Then, the session cookie is set on the global browser so any app that also uses the browser (or if the end user has used the browser natively to sign in) will get SSO. The stipulation here is MSAL works against the Azure AD v2.0 endpoint which has some limitations, but also supports some sign in with Microsoft Accounts (*.outlook, *.live, etc) out of the box.
If you're interested in trying v2 + MSAL, I recommend trying the Android Guided Walkthrough which walks you through how to build an app that calls the Microsoft Graph.
Google's decision to disallow oauth via webview is causing me huge amounts of trouble. It's been a long and difficult process migrating to an alternative (I'm using the suggested AppAuth library at the moment) and I'm getting user complaints about not being able to link accounts without also adding them to chrome/their device (which as far as I can tell is now impossible without somehow forcing a private browsing session). My latest problem involves google oauth to sign into another service. Here's the scenario:
A user wants to link a 3rd party service to my application. Their account on the third party service is linked to a google account. To auth with this third party service, they must sign into their google account. The problem is that the 3rd party service only allows http:// scheme redirect URI's for their oauth, so the flow looks something like this:
User is in my app on their android device
User clicks a button to link their thirdparty account with my app
Using the appauth library, I launch a browser or custom tab with the oauth URL's for the 3rd party, let's just call it http://thirdparty.com/oauth
From that page, the user clicks a "sign in to google" button, which triggers the google oauth flow, which they then follow to provide their google account token to thirdparty
User approves access to my app with thirdparty now that thirdparty has validated their google account
thirdparty redirects to the registered redirect_uri which is then opened in the browser tab instead of redirecting back to my application.
The problem is step 6 here. Because I am required to register an http:// scheme redirect URI, the browser tab attempts to load the webpage directly, even if I have registered my app to handle that particular url. Now if it wasn't required for users to be able to sign in with google, I could easily just do this whole flow in a webview and manually trap the redirect, grabbing the token, but because thirdparty allows users to link their google account, I can't use a webview because google will block users from performing google auth in a webview, so I am forced to pass off to an app or browser tab that I don't have control over and am dependent on that behaving properly (which it often doesn't)
I did plenty of searching and it looks like App Links would solve my problem by registering my app as the primary handler for a link, but that only works in Android 6.0+, which is higher than my device minimum, so I'm at a loss as to what I'm supposed to do here.
My constraints are:
oauth redirect must be an HTTP scheme (required by thirdparty)
I cannot auth in a webview (required by google)
I need my auth redirect to launch my application in order to collect the token
I need the solution to work for all devices on android 5.0+
I have not found a single solution to this problem through hours of searching, and I have found no way to get in touch with the google oauth team to learn what their suggestions are.
Has anyone found a way to do have an http:// link launch an application without prompting the user and without requiring android 6.0?
If you have control over the redirect URI, you can set your application to listen for it using a custom Intent Handler. This is essentially a form of Deep Linking, and should work with Android 5+, (in 6 you can even set your app as the default!).
For the data, you will most likely need to use the URI itself. But that shouldn't be too hard assuming you have control of the re-direct.
I'm trying to link from Facebook pages and posts directly to my app. I want the link to open in the Google Play application on Android devices.
Ever since Facebook started using an internal browser for links, links to https://play.google.com/details?id= and https://play.google.com/store/apps/details?id= from Facebook do not trigger the Play application, and are handled by the internal browser.
How can I bypass the internal browser and cause the Play application to catch the URL?
Thanks
Normally you would need to use the following protocol:
market://details?id=PACKAGE_NAME
But Facebook doesn't recognize this as a valid link. Only thing that comes to my mind is placing the above link behind an URL redirecting service. The problem is that most of these services don't allow to shorten links that do not begin with http. I've found a service that allows for custom protocols in the link, it's: http://bit.do/
Of course you could also create your own redirecting website if you have a place to host it.
As #k-m-Śliwiński has atated, we need to use the market:// scheme to fire up Play.
This is problematic for several reasons:
Facebook does not recognize this as a link.
URL shortening and redirection services do not recognize this as a link, so a device specific link (via smarturl.it for example) can not be issues.
The rare URL shortening services that do allow this are considered dangerous by Facebook and are blocked by it.
I ended up setting up a redirect (301) HTML webpage, storing it on one of my servers and creating a valid http:// URL pointing to it.
I've used the 301 Redirect Code Generator in the process.
My android app is designed to fetch calendars and events from Google. I downloaded Google API v3 and followed the example from official tutorial. In the tutorial, it uses Account Manager to do authorisation for android, which means user can directly pickup an account already set on android device to get authorisation done.
startActivityForResult(CalendarHelper.getInstance().credential.newChooseAccountIntent(), REQUEST_ACCOUNT_PICKER);
The code runs good, but I don't want authorisation this way. I prefer the way that start a webview and open an url which lead user to a login page, after he login and accept the permissions, the taken will be returned to access calendar data, just like the Google API in iOS.
I understand the workflow of OAuth 2.0, but I can't find any sample code on android to do authorisation the way I described above.
Can any one help?
You could try adding approval_prompt=force in your HTTP request that you make while looking for access tokens. This parameter ensures that the user has to log in/provide credentials every time the app is run.
Quoting from Google's documentation.
"If the value is force, then the user sees a consent page even if they
have previously given consent to your application for a given set of
scopes."