Missing documentation for confidential client configuration

[hegge]

Using the Android SDK in a confidential client setup isn't documented anywhere I could find. The necessary steps seems to be:

  <meta-data
    android:name="com.telenor.connect.CONFIDENTIAL_CLIENT"
    android:value="true" />

    protected void onCreate(Bundle savedInstanceState) {
        Intent intent = getIntent();
        String url = intent.getData().toString();
        if (ConnectSdk.hasValidRedirectUrlCall(intent)) {
            final String code = ConnectSdk.getCodeFromIntent(intent);
            // use code
         }
    }

    @Override
    protected void onActivityResult(int requestCode, int resultCode, Intent data) {
        super.onActivityResult(requestCode, resultCode, data);
        if (resultCode == Activity.RESULT_OK) {
            Bundle bundle = data.getExtras();
            if (bundle != null) {
                String code = bundle.getString("code");
                // use code
            }
        }
    }

hasValidRedirectUrlCall() and ConnectUtils.parseAuthCode ensures that the returned state matches connectStore.getSessionStateParam(), so the caller doesn't need to check the state in the redirect uri and in the activity result bundle.

ConnectSdk.handleRedirectUriCallIfPresent() cannot be used, as that will exchange the code for tokens. This means that the smsBroadcastReceiver cannot be unregistered. That seems like a bug.

[SerhiiBovtriuk]

Hello, thanks for the report.

That is true that documentation with examples for confidential client is missing. This might get fixed in case if we will update our documentation.

In general we would recommend to not use confidential clients approach due to the issue that it's hard to implement securely, however, it's a matter of choice.

I will take a look for the second part with the ConnectSdk.handleRedirectUriCallIfPresent() and if it will be confirmed as a bug it will most likely receive a fix in next versions of the SDK.