Search code examples
androidappauth

AppAuth Android https scheme - work with Firefox and other browser?

I would like to know if AppAuth, with https scheme, works with Firefox and other browser.

I have an CAS 5.2 act as an OAuth Idp, but the idp is not the problem so I won't post the setting here.

I am trying to make a demo AppAuth app that can work with my Idp, I am using the demo come within https://github.com/openid/AppAuth-Android for the setup.

I am using an https redirect_uri schema, since this OAuth Idp is not only for mobile.

The problem is, I am only able to make OAuth works in Chrome (and Custom Tab version) and Samsung Browser (and Custom Tab version).

For other browser that I've tested (Opera, Dophin, Firefox), I just stares at my redirect_uri and refused to go back to the Apps [ https://www.example.net/test_oauth/index.php ] (Note: I already prompted user to click link for the redirection)

I would like it to work more than only Chrome and Samsung browser, if it can works with maybe Firefox Custom Tab and more, it will be great!

The setup is basically the same as the AppAuth Demo, but only forcing a client secret (for testing purpose), and the following configuration

auth_config.json:

{
  "client_id": "TestOAuth",
  "redirect_uri": "https://www.example.net/test_oauth/index.php",
  "authorization_scope": "openid email profile",
  "discovery_uri": "",
  "authorization_endpoint_uri": "https://www.example.net/cas/oauth2.0/authorize",
  "token_endpoint_uri": "https://www.example.net/cas/oauth2.0/accessToken",
  "registration_endpoint_uri": "",
  "user_info_endpoint_uri": "https://www.example.net/cas/oauth2.0/profile",
  "https_required": false
}

AndroidManifest.xml

  <activity android:name="net.openid.appauth.RedirectUriReceiverActivity">
        <intent-filter>
            <action android:name="android.intent.action.VIEW" />

            <category android:name="android.intent.category.DEFAULT" />
            <category android:name="android.intent.category.BROWSABLE" />

            <data
                android:host="www.example.net"
                android:path="/test_oauth/index.php"
                android:scheme="https" />
        </intent-filter>
    </activity>

Thanks!

Solution

  • Lead maintainer of AppAuth here. As far as I know, Firefox and other non-Chromium based browsers do not implement app links and so do not attempt to dispatch matching web URLs to the apps that claim them. For this reason, if you must use web redirect URLs for your authorization flow then I recommend setting up a real web page to capture the redirect, and convert it to a custom scheme based URI attached to a button or link.