oktadev / okta-openidconnect-appauth-android

Android Application with Okta as the IdP and AppAuth as the OpenID Connect mobile library
Other
14 stars 3 forks source link

OpenID's setLoginHint breaks redirect URI #1

Open chad-zips opened 7 years ago

chad-zips commented 7 years ago

I updated Okta's demo application to use OpenID's 0.6.1 release (latest) so I could use their new method setLoginHint(...).

Everything works with just upgrading library and running -- perfectly.

When I add the setLoginHint call to the AuthorizationRequest Builder:

    AuthorizationRequest authorizationRequest = new AuthorizationRequest.Builder(
            authorizationServiceConfiguration,
            configuration.kClientID,
            CODE,
            Uri.parse(configuration.kRedirectURI)).
            setScope(SCOPE).
            setLoginHint("user@domain.com")
            .build();

The ChromeTab shows the ERR_UNKNOWN_URI_SCHEME.

If I remove that line and then manually enter my username and password, the redirect URI works as expected.

Seems highly suspect, but I have tried this on my original program and had the same problem so I decided to try it out on base demo code and I see the same exact problem.

jmelberg-okta commented 7 years ago

@chad-zips: Very interesting. I'll take a look this week to see if I can diagnose what is going on. It does not look like there is an outstanding issue in the parent repo either -> AppAuth-Android

chad-zips commented 7 years ago

Interesting indeed. Very sparse changes. I used your demo app instead of the parent's because Okta's is more straightforward -- and perhaps it is a bug in the Okta preview server's redirect/javascript?

@jmelberg-okta This is the diff file with my OktaConfiguration values scrubbed out..

okta.diff.txt

chad-zips commented 7 years ago

I tested on a Nexus 6 with Android 7 and Nexus 5X with Android 7.1.2

When I get the ERR_UNKNOWN_URL_SCHEME -- if I use the chrometabs drop down to 'open in chrome' it will THEN find the redirect_uri and open the application and exchange the code to get the token.

I thought that may be a chrometab bug, so I tried setting Chrome in the BrowserBlackList to force it to not use chrometabs and it still fails -- though there is no work around to open in Chrome, since it is in Chrome.

Seems like a timing bug somewhere. Crazy that the loginhint is the culprit, but without that one line everything works as expected.

jmelberg-okta commented 7 years ago

Hi @chad-zips. I was able to reproduce this today. I'm going to continue to look into this issue on our side, and hope to resolve this soon.

Thanks for this discovery!

wdawson commented 7 years ago

FYI @chad-zips this seems to be related to a Chromium bug. I've added a comment there to hopefully help them reproduce the issue faster :crossed_fingers: