Search code examples
flutterazureazure-ad-b2c

Retrieving tokens from aad_b2c_webview

I wanted to leverage Microsofts Azure B2C package aad_b2c_webview manage secure login into android app built earlier.

Use case is user lands on login page, after signing into their Azure B2C account, they are able to see the home screen that provides them links to other screens (e.g. profile, dashboard, account) within the android app.

Followed the instructions as per https://github.com/microsoft/aad_b2c_webview

It works, but I am struggling to understand what exactly is happening, and there is almost no viable documentation (its as if Microsoft abandoned this project).

  1. Is it necessary to use deep links? My understanding of deep links is that its primarily used to create seamless xp between web and app, so your users get redirected to app as opposed to website, in my case there is no website so nowhere to host assetlinks.json file (unless i buy a domain, create and host it which seems redudnant). This is only a android app.
  2. I am assuming the meta-data and intent-filter has to be stored within the is this correct?
  3. It mentiones the use of flutter secure storage fore storage and retrieval of access related information (access token, refresh token etc.), how do we access this in subsequent pages to retrieve the relevant tokens?
  4. How does it handle logout mechanism or is this something we have to create using ADB2CEmbedWebView?

Thanks guys.

Solution

  • Note: While deep links are often used for app-to-web redirection, they are not strictly necessary for your use case.

    • They help with URL-based navigation but aren't required unless you plan to link specific content to external resources. You could skip hosting assetlinks.json if it's a purely Android app. Just ensure your app has the right intent-filter.

    It mentions the use of flutter secure storage for storage and retrieval of access related information (access token, refresh token etc.), how do we access this in subsequent pages to retrieve the relevant tokens?

    • Flutter Secure Storage is used to store the access and refresh tokens securely. After login, you can retrieve them on subsequent screens using the Secure Storage API.

    • The logout process requires your app to handle token invalidation and redirecting the user to a logout URL. Azure B2C might not handle it automatically within the aad_b2c_webview component, so you'll need to implement this via custom code or by using ADB2CEmbedWebView to clear the session.

    I am assuming the meta-data and intent-filter has to be stored within the is this correct?

    Yes, the meta-data and intent-filter should be stored within the AndroidManifest.xml file to handle the deep link mechanism (if you're using it). This ensures the app knows how to handle incoming URLs. If you're not using deep links, you can skip the deep link-related configurations, but the intent-filter is often still useful to catch specific redirect URIs.

    In an app-only setup, configure the intent-filter in the AndroidManifest.xml to handle the redirect URI, using a custom URI scheme like yourapp://oauth.

    • Store access and refresh tokens securely with Flutter Secure Storage using keys like 'access_token' and 'refresh_token'. Retrieve the tokens by calling storage.read(key: 'access_token') and handle token expiration by using the refresh token to obtain a new access token if necessary.