John-59
commented
9 months ago Yes, I run into with very similar problem. I create application which needs authorization with OIDC provider (Keycloak) and I have 3 situation:
- If the user is already authorized in the application and then clicks on a link (from mail, for example) to a specific application screen - all works fine and the application starts and shows this screen.
- If the user is not previously authorized and simulates to click on a link by command "adb shell am start -d "link.to.concrete.application.screen" -a android.intent.action.VIEW" - all works fine and the application starts, redirects to Chrome Custom Tab for authorization and then shows the screen according to the link.
- But if the user not previously authorized and clicks on a link - the application starts, redirects to Chrome Custom Tab for authorization, but after authorization nothing happens (not redirect back to the application, Chrome Custom Tab remains open).
AppAuth version: 0.11.1 Language: Kotlin OIDC provider: Keycloak
tnache
Configuration
flutter_appauthpackage v6.0.2Description
I've run into a very specific edge case problem inside my app which probably involves intent handling by Android.
So, the app offers authorization with proprietary OIDC compatible provider - and this works flawlessly. But besides that it offers registration flow and password recovery flow. Both rely on user clicking a one-time link in email message they receive - and the problem is with that two flows. Those links are handled by the app as App Links. App verifies tokens it receives in link, asks user for confirmation and starts authentication flow with AppAuth supplying tokens in additional parameters. Everything runs fine in CustomTab until provider finishes authentication - and after that things get strange....
When you use
adb am startto simulate click on App Link everything is fine, Intent is delivered toRedirectUriReceiverActivityin running application instance and properly forwarded toAuthorizationManagementActivity, then integration handles response and everything finishes as expected.But when you click the link from GMail, after finishing OIDC flow a new App instance is started every time. It doesn't have access to saved state and logs following error
No stored state - unable to handle response- so the flow couldn't finish properly. Although on OIDC side everything finishes properly, user is registered properly on his password is properly reset. This from user perspective is very confusing.From what I've found by now the problem is with flags that are used to start the App via App Links. When you use
adbit defaults to only usingFLAG_ACTIVITY_NEW_TASK 0x10000000, but when you click on a link it uses following:FLAG_ACTIVITY_REQUIRE_NON_BROWSER 0x00000400FLAG_ACTIVITY_CLEAR_WHEN_TASK_RESET 0x00080000FLAG_ACTIVITY_NO_ANIMATION 0x00010000When I've tried to set similar flags with
adbit seems that onlyFLAG_ACTIVITY_CLEAR_WHEN_TASK_RESETis causing problem to occur. When I start Intent without it (0x90400) everything works.Digging further into that I've tried experimenting with
documentLaunchMode,launchModeandallowTaskReparentingwith various combinations. I've also tried setting redirect URI to HTTPS (I've used custom scheme as default) and the results are always the same.Anyone here run into similar problem?
This issue is critical to this App and as I've wasted few days already debugging this I'll probably implement those not working flows without AppAuth to make App usable - but in future I'll like to use original design (BTW application is multi-platform and with iOS it works properly).
Below you can find logcat entries from tests. Those starting with
Aare from success tests. Those withBare from failed ones.Starting App from App Link - notice different
result codeAfter CustomTab finishes - same as above,
result codeforAuthorizationManagementActivitydiffers