Open jtn-d opened 5 years ago
Generally speaking, you won't be able to use AppAuth's approach to authorization via a custom tabs or system browser for "background" checks like this, for two reasons:
Opening the tab or browser necessitates full screen state changes on the device, which is a very jarring UX for something that the user is not expected to interact with.
Browsers will not allow redirects back to the app without user interaction, which is likely the behavior you are seeing in this case. This is problematic in other cases too, such as authorization requests that some IDPs automatically approve and attempt to redirect without user interaction - these results are never delivered back to the app and require special handling, with an intermediate page that the user must click on, to ensure delivery.
"Browsers will not allow redirects back to the app without user interaction" I don't think there is need for user interaction, because I have logout procedure working without any interaction from user. The app uses CustomTabsIntent to launch end_session_endpoint and IdP redirects successfully back.
What is the difference between your implementation that works, and what AppAuth is doing? If we had a way to reliably deliver redirects back to the app without user interaction I'd gladly take it, but our experience so far has been that redirects without user interaction are blocked by Chromium based browsers.
CustomTabsIntent.Builder().build().launchUrl(context, Uri.parse("$endSessionEndpoint?post_logout_redirect_uri=$logoutRedirectUri"))
I am trying to check if a user is still logged in by repeating the authentication request with prompt=none, see Session Status Change Notification.
There is setPrompt(AuthorizationRequest.Prompt.NONE) method, but when I am using it, the redirect is failing. Am I missing something?