Search code examples
c#androidduende-identity-serveridentityserver5

How to login in Duende IdentityServer from Android mobile app


We are developing an ASP.NET Web based application with Angular interface.

The project is older, it was migrated to Duende from an older version where the authentication was done by us with tokens. After the default project in Visual Studio added support for Individual user authentication (starting with dotnet 6), we started to migrate the code in the new project with the improved authentication (Duende).

We are also trying to create an Android app, we added the client in appsettings.json:

"Clients": {
      "AppName": {
        "Profile": "IdentityServerSPA",
      },
      "AndroidID": {
        "Profile": "IdentityServerSPA",
        "Enabled": true,
        "ClientId": "AndroidID",
        "RequireClientSecret": false,
        "ClientName": "AndoidApp",
        "ClientSecrets": [ { "Value": "" } ],
        "RequirePkce": true,
        "AllowedGrantTypes": [ "code", "implicit", "client_credentials" ],
        "AllowedScopes": [ "openid", "profile", "email", "phone", "api" ],
        "RedirectUris": [ "https://aaa/well-known/openid-configuration" ],
        "RequireConsent": false,
        "AllowOfflineAccess": true
      }
    }

For the Android side we are using the library: https://github.com/openid/AppAuth-Android . In our tests we are changing the configuration in the sample application from the AppAuth repo.

{
  "client_id": "AndroidID",
  "redirect_uri": "https://aaa/authentication/login-callback",
  "end_session_redirect_uri": "https://aaa/connect/endsession",
  "authorization_scope": "openid email profile SIGADAPI",
  "authorization_endpoint_uri": "https://aaa/identity/account/login",
  "token_endpoint_uri": "https://aaa/connect/token",
  "registration_endpoint_uri": "",
  "user_info_endpoint_uri": "https://aaa/home",
  "https_required": true,
  "end_session_endpoint": "https://aaa/connect/endsession",
  "client_secret" : "",
  "response_types": "code",
  "jwks_uri": "https://aaa/.well-known/openid-configuration/jwks",
  "revocation_endpoint": "https://aaa/connect/revocation",
  "grant_types": [ "code", "implicit", "client_credentials"],
  "scopes_supported" :  [ "openid", "profile", "email", "phone", "SIGADAPI" ]
}

The problem is that on the Login.cshtml, returnUrl is null. In C# we receive a success response for the _signInManager.PasswordSignInAsync, but we do not have a valid returnUrl for the callback so, in the end, in Android we are not logged-in.

I know the answer is really easy and we are stuck for a long time in this step, but what are we doing wrong and how do you manage to login from another client.

The dotnet version is 6 and Duende IdentityServer is 6.0.8.

Thank you very much for your help


Solution

  • On the Android side you can actually use the openid-configuration as a discovery_uri parameter and after that you don't need to set the authorization_endpoint_uri and authorization_endpoint_uri. Also, make sure that the authorization_scope matches the expected parameters.

    You can inspect the android Custom Tab using the Chrome tool: chrome://inspect/#devices, maybe you have a error in the Custom tab and the redirect is not done as expected.