Get only authorizationCode on iOS

[moberwasserlechner]

I need to support cloud storage providers like OneDrive, Google Drive, DropBox and so on.

The actual access to resources is handled by the backend, so only the authentication is done by to user on the client this results in the authorizationCode, which is sent to the backend. The backend performs the retrieval of accessToken and most important the refreshToken

Unfortunately Code Flow with PKCE is no option because various OAuth providers support only native apps for this flow and web apps/PWAs are forced to use Implizit Flow. I need the refreshToken to access resources without the users interaction.

[moberwasserlechner]

I experimented a little bit and only authorizationTokens and code flow make sense for this scenario.

As the backend should access resources independently from the user a refresh token is needed in addition to the authorization token and this is only supported in code flow.

[moberwasserlechner]

Code flow with PKCE #4 should return refreshTokens.

[moberwasserlechner]

As I see no way to retrieve the authorizationCode from oauthSwift I will stop working on this task for now and concentrate on PKCE.

[moberwasserlechner]

I need that task because OneDrive Api does not allow code flow on web apps. So the last call to the get accessToken and more important the refreshToken needs to be done on the server.

[thmclellan]

@moberwasserlechner Thanks for sharing this great plugin! I'm working on a similar server code flow scenario where a Capacitor app lets the user authenticate with Dropbox or Google Drive to get an authorization code, and our server uses that code to get an accessToken and/or refreshToken. This way our server could transfer files directly from Dropbox/Google.

For native apps, are you still planning to support getting the authorization code for iOS and Android? I noticed that oAuthSwift recently added support for this.

Alternatively, would it make sense to set a redirect URL to the server and have the server capture the authorization code directly? I'm not sure if this approach would work for a native app and your plugin. I've got some learning/experimenting to do here and would like to avoid taking a web view approach. In any case thanks for sharing your plans about authorization codes.

[moberwasserlechner]

Yes I still plan to support it for all platforms.

I guess you ask because I removed the labels. I only did that because its needed for all platforms, so I need less labeling ;).

To your alternative: This is a common alternative it should work. Although I never tried it myself. But if this tasks does not work for my scenario this is the way I will go as well.

[thmclellan]

Thanks for clarifying. I got it to work with the standard Capacitor Browser plugin by adding some special logic on the redirect URL page (on our server) to trigger a custom URI that loaded the app and included an authentication code as a parameter to the custom URI (so the app could read it on startup).

This worked well overall, though with Android I found it was necessary to set it to a "singleTask" launch mode to avoid multiple instances of the app. Some more background on this approach at https://forum.getcapacitor.com/t/oauth2-auth-code-flow-w-capacitor-browser/266/9

Planning to add Google sign in and some other oAuth providers so expect to be using your plugin again soon. Thanks for sharing!

[moberwasserlechner]

Starting with v2.0.0 you can get the code from the authorization request, if you do not provide the parameters accessTokenEndpoint and resourceUrl.

This - however - only works on the Web and Android. On iOS the used lib OAuthSwift does not give me the needed control over the flow to achieve this.

[anagstef]

Hello! Any updates on this?

I have the same issue with Salesforce. As you describe on your first post I want to retrieve only the code in client and then handle the rest on the server side. Is there a workaround for this? Can I do something else to get the code on iOS?

Thanks!

[razvantim]

Hello, I also need to only retrieve the access code using IOS.

It seems there is a workaround, but you have to extend the OAuthSwift plugin

https://github.com/OAuthSwift/OAuthSwift/issues/400

[moberwasserlechner]

Add authorization_response to the response when implementing this. See #154

[geeksalah7]

Hello, I'm passing the authorization code to my backend server to obtain access token, but it is returning the error "unauthorized_client". Here are the android options (Vuejs) code

android: {
        appId: capacitorConfig.plugins.GoogleAuth.androidClientId,
        responseType: 'code',
        redirectUrl: capacitorConfig.appId+':/',
        //resourceUrl: null,
        accessTokenEndpoint: '',
        additionalParameters:{
          access_type: 'offline',
          include_granted_scopes: true,
        },
      },

And here is the PHP code

$client = new Google_Client();

        $client->setClientId('WEB_CLIENT_ID.apps.googleusercontent.com');
        $client->setClientSecret('WEB_CLIENT_ID_SECRET');
       // $client->setRedirectUri('');
        $client->setAccessType('offline');
        //$client->setScopes($scope);
        $client->setState($state);
        $r = $client->fetchAccessTokenWithAuthCode($authCode);
        if(isset( $r['error']) && !empty( $r['error']) ){
            $response['message'] = $r['error'].' '.$r['error_description'];
            return $response;
        }

The appId: capacitorConfig.plugins.GoogleAuth.androidClientId, & $client->setClientId('WEB_CLIENT_ID.apps.googleusercontent.com'); belongs to the same google project, the difference is that one is for android and the other is for web client.

I would appreciate if someone can shed any light on the situation.

[raymondboswel]

Is there any progress on this? Me and a colleague tried to implement a workaround extending OAuthSwift inside this library, but couldn't get a working solution. @moberwasserlechner Do you have any suggestions we could try?

[bertrand-sifre]

Hi, I've implemented a solution to solve this problem. You can find my code in my fork => https://github.com/moberwasserlechner/capacitor-oauth2/compare/main...bertrand-sifre:capacitor-oauth2:main