Search code examples
javafxbrowseroauthcallback

Using an application with a Java FX front-end on Windows in the OAuth PKCE flow, is there an alternative to a port listener?

In the OAuth flow using a custom URI/URL for the callback is custom on a smartphone, but not so much in Windows. I found a description of how to do that (How do I register a custom URL protocol in Windows?), but that talks about "application is opened and the parameters from the URL are passed to it".

In my situation the PKCE flow is started when the application gets started by the user from the start menu. The application calls the default browser to get to the log in page (implemented this way because of SSO, other applications the users use do have a web front end) and if log on succeeds call the callback URL. So in my situation the browser would perform "myApp://code={OAuth-code}" instead of "http://127.0.0.1:{some port}/code={OAuth-code}".

The solution with the port listener is working right now on my development machine, but only because I have admin rights on my development laptop. Users that will use this app once it is in production don't have admin rights on their company laptops, and they're not gonna get it.

So, my solution to the packaging team was to run the application with a service account that has admin rights, but they don't like that idea and asked me to find if there's another solution. I found this 'custom URL' to be a possible solution, but I wonder if that is even an option or that there's even another solution I haven't found yet that will work in this situation.

Solution

  • The current best practice for receiving OAuth responses to a desktop application is to use a loopback interface with a randomly assigned port (so what you showed in your question): https://datatracker.ietf.org/doc/html/rfc8252#section-7.3 This is also how you usually implement this in a desktop app.

    Are you sure that users won't be able to listen on a port? Normally, opening a port with a value greater than 1024 does not require admin rights on a system. I would double-check this as this should be possible. I don't think you have a different option on the desktop. For example, see this answer: How can I allow apps to claim "https" scheme URIs? (i.e How can I open a desktop application from https URL?)