[IMPROVEMENT] User CustomTabs instead of WebView

[philipbrito]

Only in certain circumstances!

See: https://developer.chrome.com/multidevice/android/customtabs#whentouse https://chromium.googlesource.com/custom-tabs-client/+/master/Using.md https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html https://www.theregister.co.uk/2016/08/23/google_to_block_web_views_from_using_its_oauth/

[rafaelks]

AFAIK this is already done. 👍

[philipbrito]

@rafaelks This is not done yet. The reason to open this issue is what was described here (too): https://github.com/RocketChat/Rocket.Chat.Android/issues/1699

[ear-dev]

Description

Best practices according to the IETF explicitly state:

" OAuth 2.0 authorization requests from native apps should only be made through external user-agents, primarily the user's browser....

4. Overview For authorizing users in native apps, the best current practice is to perform the OAuth authorization request in an external user-agent (typically the browser) rather than an embedded user-agent (such as one implemented with web-views).

   Previously, it was common for native apps to use embedded user-agents (commonly implemented with web-views) for OAuth authorization requests. That approach has many drawbacks, including the host app being able to copy user credentials and cookies as well as the user needing to authenticate from scratch in each app. See Section 8.12"

Currently Oath is implemented with a webView here: https://github.com/RocketChat/Rocket.Chat.Android/blob/93d43d3b6584161c57baac397952fd2ebfc8658b/app/src/main/java/chat/rocket/android/webview/oauth/ui/OauthWebViewActivity.kt#L107

It could be done perhaps with a chrome custom tab using something like this: https://github.com/RocketChat/Rocket.Chat.Android/blob/93d43d3b6584161c57baac397952fd2ebfc8658b/app/src/main/java/chat/rocket/android/util/extensions/View.kt#L10 but I think it would also require adjustments to AndroidManifest.xml to handle deep linking in order to get the response back into the app.

[philipbrito]

Thanks for providing us such a detailed explanation @ear-dev!

[ear-dev]

@filipedelimabrito Has there been any progress on this? Is it planned for a release? Thanks!

[philipbrito]

Not for the next release yet @ear-dev. From what I remember there are some implications changing from WebView to CustomTabs for OAuth (because we rely on the callback result for instance). But it doesn't mean that we don't want to change (the reasons were pointed out above).

We let you know when we start working on it.

[bizzbyster]

@filipedelimabrito we may be able to work on it. Can you provide us with the details you reference here "From what I remember there are some implications changing from WebView to CustomTabs for OAuth"? Those will give us a head start on this.

[philipbrito]

@bizzbyster This line because we rely on the callback result for instance. Basically we need to send the credentialToken and credentialSecret after a successful login back to the API. I am not sure how to get that callback with customTabs now - I need to look on that, but let me know if you are planning to do that so.

[bizzbyster]

@filipedelimabrito It looks like this needs to be done via deep linking since CCT by design does not let you read the final URL the way we currently do with the webview. https://community.fitbit.com/t5/Web-API-Development/Not-able-to-get-Authorization-Code-from-URL-in-Chrome-Custom-Tabs-oAuth2-0/m-p/1046614#M3934.

[bizzbyster]

The recommended way to do this is to use a deep link on the redirect URL that the Oauth2 server redirects to after the user has been authenticated. Chrome Custom Tab doesn't handle these properly if they have https scheme -- they must be a unique scheme defined by the app or else the CCT just displays a blank screen. This is documented here (https://stackoverflow.com/questions/51244910/android-app-links-not-working-with-chrome-custom-tabs) but I have also experienced it.

At the same time, many Oauth2 providers like Google do not allow the "rocketchat" scheme. When I set redirect_uri to use it, I got the following error:

Therefore the approach i recommend is that Chrome Custom Tab be a per Oauth provider setting as opposed to being the implementation for all Oauth providers. This means for custom Oauth providers Webview or CCT will need to be an option in the Administrative console.