search

FirebaseExtended / custom-auth-samples

Samples showcasing how to sign in Firebase using additional Identity Providers
Apache License 2.0
323 stars 97 forks source link

Android example for Instagram #8

Open nikthakkar opened 7 years ago

nikthakkar commented 7 years ago

It would be great if we can have a example build for an Android app so that the best practices are followed in implementing other OAuth providers. Thanks.

nicolasgarnier commented 6 years ago

To do this the server side code is already implemented. See this part of the code for the auth redirect: https://github.com/firebase/custom-auth-samples/blob/master/instagram/app.js#L119-L126

And this for the code exchange https://github.com/firebase/custom-auth-samples/blob/master/instagram/app.js#L133-L148

Basically the Android/iOS native app has to follow this flow:

  1. Generate a random Cryptographic nonce and save it to memory to check later.
  2. Send the user to the /instagram-mobile-redirect?state=<nonce> URL of the server (use the nonce generated in step 1) in a Chrome Custom tab (or equivalent in iOS).
  3. On the browser, the user is redirected to the Instagram sign-in page and is asked to grant access to your app. Once the user has gone through the auth flow (he granted or denied access to the app) he is redirected to a custom scheme URI instagram-sign-in-demo://instagram-mobile-callback?code=<code>&state=<nonce> the app needs to intercept this URI (i.e. in android add an intent filters for incoming links with custom scheme URI) and read the code and state URL parameter values.

    PS: you should change the custom scheme on this line to have your own.

  4. Check that the nonce in the state parameter equals the one saved in memory at step 1 to avoid session fixation attacks.
  5. Send an HTTP request to the /instagram-mobile-exchange-code?code=<code>, this will return the Firebase custom auth token that you can use to sign in your user to Firebase.
nicolasgarnier commented 6 years ago

@bojeil-google in case he has anything else to add or other techniques he wants to discuss.

bojeil-google commented 6 years ago

Seems reasonable. A few recommendations:

  1. consider hashing the nonce when sending it to the instagram auth endpoint and store the plain version on the app.
  2. At end of the flow pass the plain stored version. On the token endpoint, you would hash it and compare it with the one returned from instagram. This makes it harder for an app that intercepts the initial redirect to get the original nonce.

On Android, consider using FDL (Firebase Dynamic Links) links to redirect back to the app for additional security. As custom schemes in android are less secure since they don't have the controlled and regulated ecosystem that Apple has and any app can claim a custom scheme.