Don't know a lot about Okta and Android. Does anyone know of a good tutorial which shows how to wire an android application into the Okta framework. Or do I implement a SAML SSO implementation and then Okta is associated to that? Any code examples appreciated - especially one showing Android implementation of generic SSO, if such a thing exists.
OK, alot of ground to cover here and some of the work I did not do. But the basic idea is that on the server side (we use .Net) we created a SAML communication layer using "kentor". I did not work with this, but idea is software communicating the the client's Identity Provider (IDP) for SSO (Okta for example). The IDP client usually has to provide XML meta data which has security info and ultimately a URL, and you provide them with your SSO xml meta data (sorry, I did not work on that part!).
Basically from there it is pretty straight forward on the Android side. The bottom line is that the above interaction results in a url that the SSO client provides that you will use on the Android side to create a webview, which will allow them to enter their login information for verification.
We have the URL hardcoded since we create a white label product specifically for the customer (you will see that as Constants.SINGLE_SIGNON_URL below) but there is nothing that stops you from passing the URL back after a customer passes a Organization Code for SSO in (we are working on that now). In other words you store the URL or generate the URL based on which customer and then return that when the device passes you an Organizatioal Code. The URL is actually to your server, which redirects to the IDP (Okta) login page for SSO. This is because the response from OKTA needs to go to your server where ultimately it will be sent back by redirect to your webview. We used the cookies to then store the resulting username to allow the normal login process. Probably a lot of different ways to do that, and Okta even provides a native mobile device capability, but the customer has to support that.
Here is a diagram that hopefully will spell out some high level pieces of this:
The code only covers 1), 2) and 5) in the above diagram. 1) Is pretty obvious the call to the WebView. 2) is really the call to the Constants.SINGLE_SIGNON_URLwhich hits your server, which should redirect to the IDP page. When the user logs in there, it get sent back to your Service (SP) and is redirected back to your WebView. Again, we stored something in the cookie to pull out to continue our normal login.
One key is to realize that the WebView's shouldOverrideUrlLoading() is called several times. Ignore all of those except the one that sends back your server's URL, at which point you pull out the data you need (in our case the login info that the server had verified). This is seen in the call GlobalState.getInstance().currentUserName = getCookieValue("_username" ,cookies);
Probably not explaining this very well (and it has been a month or so!). Here is a sample of the SSOActivity where most of the work is done:
public class SSOActivity extends Activity {
WebView webView;
private Button mCancel;
private Button mReset;
/**
* Grabs the specified variables out of the list of cookies
*
* #param fieldName
* #param cookies
* #return
*/
public String getCookieValue(String fieldName, final String cookies){
String CookieValue = null;
String[] cookiessplit = cookies.split(";");
for (String str : cookiessplit ) {
if(str.contains(fieldName)) {
String[] value=str.split("=");
CookieValue = value[1];
break;
}
}
return CookieValue;
}
public void clearCookies() {
try {
android.webkit.CookieManager cookieManager = CookieManager.getInstance();
cookieManager.removeAllCookie();
}
catch (Exception ex)
{
Utilities.logException(ex);
Utilities.logError("SSOActivity", "clearCookies() : " + ex.getMessage() );
}
}
/**
* Cancels the SSO request in Webview
*
* #param view
*/
public void cancelSSOClick (View view) {
Utilities.logInfo("cancelSSOClick", "Cancel SSO click");
setResult(Activity.RESULT_CANCELED, null);
SSOActivity.this.finish();
}
/**
* Resets and deletes cookies and SSOUrl if one exists
*
* #param view
*/
public void resetSSOClick (View view) {
Utilities.logInfo("resetSSOClick", "Cancel SSO click");
setResult(Activity.RESULT_CANCELED, null);
clearCookies();
SSOActivity.this.finish();
}
#Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setResult(Activity.RESULT_OK, null);
// Setup the web view. It will redirect to SSO site for login
requestWindowFeature(Window.FEATURE_NO_TITLE);
setContentView(R.layout.activity_sso);
mCancel = (Button)findViewById(R.id.cancelSSO);
mCancel.setTextColor(Color.WHITE);
mReset = (Button)findViewById(R.id.resetSSO);
mReset.setTextColor(Color.WHITE);
webView = (WebView) findViewById(R.id.ssoViewer);
webView.getSettings().setJavaScriptEnabled(true);
webView.getSettings().setSupportZoom(false);
webView.setWebViewClient(new WebViewClient() {
#Override
public boolean shouldOverrideUrlLoading (WebView view, String url) {
try {
// If coming from our system, then we need to check the cookie for username password, for
// some SSO this might be different than the base url. Check for both
if (url.equals(Constants.getBaseUrl()) || url.equals(Constants.SSO_RETURN_URL)) {
CookieManager cookieManager = CookieManager.getInstance();
final String cookies = cookieManager.getCookie(url);
GlobalState.getInstance().currentUserName = getCookieValue("_username" ,cookies);
SSOActivity.this.finish();
return true;
}
}
catch (Exception ex) {
GlobalState.getInstance().currentUserName = "";
GlobalState.getInstance().currentPassword = "";
setResult(Activity.RESULT_CANCELED, null);
SSOActivity.this.finish();
}
return false;
}
});
try {
webView.loadUrl(Constants.SINGLE_SIGNON_URL);
}
catch (Exception ex) {
Utilities.logException(ex);
Utilities.logError("SSOActivity", "onCreate(), webView.loadUrl(ssoUrl) : " + ex.getMessage() );
}
}
}
Here is an example of the XML supporting the Activity:
<RelativeLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:id="#+id/ssoViewerLayout"
android:layout_width="match_parent"
android:layout_height="match_parent" >
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
xmlns:tools="http://schemas.android.com/tools"
android:id="#+id/button_layout"
android:layout_width="match_parent"
android:orientation="horizontal"
android:layout_height="wrap_content"
android:gravity="center|bottom"
android:layout_alignParentBottom="true">
<Button
android:id="#+id/cancelSSO"
android:layout_marginTop="16dp"
android:layout_width="125dp"
android:layout_height="55dp"
android:layout_margin="5dp"
android:onClick="cancelSSOClick"
android:text="Cancel Login"
android:background="#drawable/button_login" />
<Button
android:id="#+id/resetSSO"
android:layout_marginTop="16dp"
android:layout_width="125dp"
android:layout_height="55dp"
android:layout_margin="5dp"
android:onClick="resetSSOClick"
android:text="Reset SSO"
android:background="#drawable/button_login"/>
</LinearLayout>
<WebView
android:id="#+id/ssoViewer"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:layout_above="#id/button_layout" />
</RelativeLayout>
Calling it else where in the code looks like this:
Intent viewIntent = new Intent(getActivity(), SSOActivity.class);
(getActivity()).startActivityForResult(viewIntent, Constants.SINGLE_SIGN_ON);
And finally what you should see:
Hope this helps!
Related
I've been developing hybrid apps for many companies with mobile websites.
And as a matter of fact, there are some websites made with using jsp.
I already had the knowledge that iframes and javascripts xhr requests will not fire webViewClient's shouldOverrideUrlLoading override function. I'm fine with that.
But today I learned that SOME actions such as:
JSP Page Redirects
Link Clicks within a JSP page
JSP/JS induced URL Loads
will not ALWAYS fire this function.
Hence, shouldOverrideUrlLoading() does not fire, when the webView is asked to load a page that it cannot load(i.e. "intent://...",) it shows an error page.
Has anyone encountered this kind of behaviour and is there any solution to work around it ?
Below is the code I'm using to invoke activities, where urls with 'intent:' protocol (which will fail because this function never gets called when above actions are performed)
#Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
// ... omitted ...
if ( url.startsWith("intent:") ) {
Intent intent = null;
try {
intent = Intent.parseUri(url, Intent.URI_INTENT_SCHEME);
// The following flags launch the app outside the current app
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_SINGLE_TOP);
try {
getActivity().startActivity(intent);
} catch (ActivityNotFoundException e) {
e.printStackTrace();
}
} catch (URISyntaxException e) {
e.printStackTrace();
}
return true;
}
}
ps. please notice that every other websites' page loads will perfectly call shouldOverrideUrlLoading().
I couldn't find any JSP related bugs on android webViews so I'm asking one.
ps. I am happily willing to provide sample websites that some gracious readers will try on.. but the website's written in Korean so I doubt it will help.
Thank you!
Your problem might not related to JSP, the real problem may be shouldOverrideUrlLoading() itself. In this case, using shouldOverrideUrlLoading() may not be a good idea, so why not try another perspective?
I've encountered many problems when using
shouldOverrideUrlLoading() loading XmlHttpRequest. At the end, I
came up with the idea using onProgressChanged() and it solved all
my problems. I've written a similar answer here.
I tried adding your code into my own webview project and tested it with some JSP sites, and looks like it always work. I also added loadUrl() after other activities are invoked, so after pressing the back button, the loading error page will not be displayed again. So try this one :
First declare a global variable to store last URL.
String strLastUrl = null;
Then override onProgressChanged(WebView view, int progress)
mWebView.setWebChromeClient(new MyWebChromeClient(){
#Override
public void onProgressChanged(WebView view, int progress) {
if (progress == 100) {
//A fully loaded url will come here
String StrNewUrl = view.getUrl();
if(TextUtils.equals(StrNewUrl,strLastUrl)){
//same page was reloaded, not doing anything
}else{
String strOldUrl = null;
//save old url to variable strOldUrl before overwriting it
strOldURL = strLastUrl;
//a new page was loaded,overwrite this new url to variable
strLastUrl = StrNewUrl;
if ( strLastUrl.startsWith("intent:") ) {
Log.d("TAG", "intent triggered");
Intent intent = null;
try {
intent = Intent.parseUri(strLastUrl, Intent.URI_INTENT_SCHEME);
// The following flags launch the app outside the current app
intent.setFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_SINGLE_TOP);
try {
startActivity(intent);
} catch (ActivityNotFoundException e) {
e.printStackTrace();
}
//reload the page before invoking other activities
view.loadUrl(strOldURL);
} catch (URISyntaxException e) {
e.printStackTrace();
}
}
}
}
super.onProgressChanged(view, progress);
}
});
Okay so I am creating a twitter clone, the only problem I am having right now is that the callback URL is getting me back to the app but instead giving me a page not found error.
I saw some similar questions here in stackoverflow and followed the steps.
I am getting the Authentication URL using the code:
public String beginAuthorization(){
try{
if(null==currentRequestToken){
currentRequestToken = twitter.getOAuthRequestToken(TWITTER_CALLBACK_URL);
}
return currentRequestToken.getAuthenticationURL();
}catch (TwitterException te){
te.printStackTrace();
}
return null; }
Next I am retrieving the Access Token using the code:
public void setAccessToken(Uri uri) {
if (uri != null && uri.toString().startsWith(TWITTER_CALLBACK_URL)) {
String verifier = uri.getQueryParameter("oauth_token");
try {
AccessToken accessToken = twitter.getOAuthAccessToken(app.currentRequestToken, verifier);
//shared prefs
SharedPreferences.Editor e = yambaSharedPrefs.edit();
e.putString(PREF_KEY_OAUTH_TOKEN, accessToken.getToken());
e.putString(PREF_KEY_OAUTH_SECRET, accessToken.getTokenSecret());
//store log in status
e.putBoolean(PrefSharedTwitterLoggedIn, true);
e.apply();
Intent intent = new Intent(this, StatusActivity.class);
startActivity(intent);
} catch (TwitterException e) {
e.printStackTrace();
}
} }
My Callback URL looks like this:
public static final String OAUTH_CALLBACK_SCHEME = "twitter4j-MiYAMBA";public static final String OAUTH_CALLBACK_HOST = "callback";public static final String TWITTER_CALLBACK_URL = OAUTH_CALLBACK_SCHEME + "://" + OAUTH_CALLBACK_HOST;
I have also added the callback URL in the intent filter, like:
data android:host="callback" android:scheme="twitter4j-MiYAMBA"
Now I am not sure where the problem might be.
Also here is how the control flows through out the app:
StatusActivity is launched when the app is run, it checks if AccessToken are set or not using a function isAuthorised() which is defined in an Android application class named YAMBAapp, if it is defined then it begins the setup of layout, that is making buttons and stuff visible else it passes the control to a function beginAuthorization(), which starts an Activity named AuthorizationActivity, which gets the Authentication URL and passes it to the WebView, all of this is done in the function onResume, in this function I call another function setAccessToken and pass the 'uri' that has has data using:
uri = getIntent().getData();
setAccessToken(uri);
I have pasted the code for setAccessToken above.
Also in the manifest I have defined the "data" item in the intent filter of "AuthorizationActivity" and not the "StatusActivity", though it has no effect what so ever.
Please help, I really am stuck for few days now :)
First thing first, when you launch twitter authentication using default web browser, you will never return back to your main application, once access tokens are received and hence page not found, as url being invalid.
What you need is to load authenticaton using a web view through your own app, now you can override few functioanlities here like when being redirected. here you need to do final processing and terminate web view, which will result into control coming back to your own application rather then seeing page not found in browser.
Example: Here is how you oveerride an webview mechanism, now you create an actvity with theme like dialog or whatever, and load this webview in it with twitter auth url, once user authtenticate himself shouldOverrideUrlLoading will be called, here you retrive back verifier and quit..
webView.setWebViewClient( new WebViewClient()
{
#Override
public boolean shouldOverrideUrlLoading(WebView view, String url)
{
// your url pattern here
if( url.contains("callback://twitter4j-MiYAMBA"))
{
Uri uri = Uri.parse( url );
// you get the verifier here
String oauthVerifier = uri.getQueryParameter( "oauth_verifier" );
// Do whateever u want here
..oauthVerifier.
//
// Finish this task, so you return back to activity from where it started
finish();
return true;
}
return false;
}
});
I guess this would be enough to finish rest of implementation. more info here '
http://daiwei.lu/2014/01/22/twitter-oauth-flow-on-android/
In Android i have a webview that lead to an google authentication form. When the authentication form is loaded in the webview it will call onReceivedLoginRequest:
public void onReceivedLoginRequest(final AuthenticationWebView client, final WebView view, final String realm,
final String account, final String args) {
...
}
When this method is called i get the Accounts stored on the device and let the user choose one and use that one to retrieve an authtoken:
mAccountManager.getAuthToken(account, mAuthToken, null, mWebViewActivity, this, null);
It all works perfectly fine (i think) and the next step looks good also:
final String result = bundle.getResult().getString(AccountManager.KEY_AUTHTOKEN);
if (result != null) {
// authentication succeeded, new url given as result for redirection
mWebView.loadUrl(result);
} else {
onLoginFailed();
}
A new method is called and returns the new url for redirection which i load in the webview. The result String returns a new adress which looks good but does nothing, it doens't log in but i don't get any message error either from the webview.
Url:
https://accounts.google.com/MergeSession?args=..&uberauth=WILL_NOT_SIGN_IN&source=AndroidWebLogin
I modified the url a bit with (triple)dots, don't know how secure it is and it was not such an interesting part of the url.
Anyone know why the url will not redirect me to the website behind it? When i use this url in my browser it recognizes my account, i only have to fill in my password and it redirects me correctly.
I use a native Android webview and i inject it with javascript but this only happens on the page after the login.
The settings i added to the webview are:
mSettings = getSettings();
mSettings.setJavaScriptEnabled(true);
mSettings.setDomStorageEnabled(true);
mSettings.setAllowFileAccess(true);
mSettings.setGeolocationEnabled(true);
I'm working on making a browser as a hybrid app using worklight framework for Android. I implemented my address bar as an input element which received the user input and pass the arguments to the webview to load the page.
However, I cannot figure out how to do the reverse: whenever the user click on a link in webview, I want the address bar to change to the new location.
Are you implementing a native page that is opened? If so, take a look at ChildBrowser, that basically does the same thing. It has a TextView being used as an address bar. You may decide to use it, or get the bits and pieces you want out of it. Regardless, I would image what you want to do something like this. By overriding the onLoadResource in the WebViewClient, you should be able to grab the url and change your TextBox.
In response to the comment below: inside your environment's main js file in the wlEnvInit() function:
function wlEnvInit(){
wlCommonInit();
// Environment initialization code goes here
document.onclick=manageLinks;
}
Then in this function get the url and set the text of your input element:
function manageLinks(event) {
var link = event.target;
//go up the family tree until we find the A tag
while (link && link.tagName != 'A') {
link = link.parentNode;
}
if (link) {
var url = link.href;
console.log("url = " + url);
//You can decide if you want to separate external or
//internal links, depending on your application
var linkIsExternal = ((url.indexOf('http://') == 0) || (url.indexOf('https://') == 0));
if (linkIsExternal) {
myInput.setText(url);
return false;
}
}
return true;
}
Inside of your WebView, inside the plugin, intercept the URL like this:
webview.setWebViewClient(new WebViewClient() {
#Override
public void onPageFinished(WebView view, String url) {
//use this area to set your input. Depending on how you
//implemented your plugin, you may need to return this value
//back to your main activity
Toast.makeText(cordova.getActivity(), "Loading: " + url, Toast.LENGTH_LONG).show();
}
});
Have you try to get the url from the href of and assign to the input variable and do the get/post? I know that it is possible in SDK i figure it dont will be harder in a framework. You can store the hiperlinks in a array with a parser or something similar.
example pseudocode:
When_hiperlink_clicked: //could be like a listener (search about it)
url = hiperlink.getURL("myHiperlink");
myinput.setText(url);
execute_input_bar_action();
Is difficult to figure out without code or something more, sorry.
I recently wrote up a simple Twitter app for Android to learn the ropes of the Twitter API and OAuth.
The app's main activity simply asks for a username to follow. It then calls another activity which handles the OAuth & Twitter API calls. It redirects the user to an authorization page, which then returns to the app after the user finishes.
It used to work just fine, but now for some reason when I call webview.loadUrl(authorizationURL), NOTHING happens. I never changed anything that would affect the WebView stuff though... Here's my code:
#Override
public void onResume() {
super.onResume();
try {
if(weNeedCredentials()) {
obtainCredentials();
}
follow(mUsername);
} catch (OAuthException oae) {
// omitted
}
}
private boolean weNeedCredentials() {
// assume the method returns true
}
private void obtainCredentials() {
final Token requestToken = mOauthService.getRequestToken();
String authUrl = mOauthService.getAuthorizationUrl(requestToken);
// I verified that authUrl is the correct url (and != null)
final WebView oauthView = (WebView) findViewById(R.id.oauthview);
oauthView.setWebViewClient(new WebViewClient() {
#Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
if(someCondition) {
oauthView.setVisibility(View.GONE);
doOtherStuff();
return true;
}
return super.shouldOverrideUrlLoading(view, url);
}
});
oauthView.getSettings().setJavaScriptEnabled(true);
oauthView.loadUrl(authUrl);
}
Here's my layout xml file:
<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:orientation="vertical">
<WebView
android:id="#+id/oauthview"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
/>
</LinearLayout>
and also I included the proper Internet permissions in the Manifest.
A WebViewCoreThread is running for the life of the app, and a WebViewWorkerThread pops in later, but no WebView ever comes up (not even a white screen). The app never blocks either. It continues running as if the loadUrl() line were simply commented out.
I've tested on my phone (Droid X2) as well as an emulator, both with the same results. Any help would be greatly appreciated.
Thanks in advance!
It continues running as if the loadUrl() line were simply commented out.
It will always "continue running as if the loadUrl() line were simply commented out". loadUrl() is asynchronous and does not block.
Off the cuff, either:
weNeedCredentials() is returning false, or
follow() is replacing the UI, or
Twitter is doing a redirect, and someCondition is true, so you are making the WebView be GONE right away
there are issues with the URL that you are loading