Open hegge opened 4 years ago
Hello, thanks for the report.
That is true that documentation with examples for confidential client is missing. This might get fixed in case if we will update our documentation.
In general we would recommend to not use confidential clients approach due to the issue that it's hard to implement securely, however, it's a matter of choice.
I will take a look for the second part with the ConnectSdk.handleRedirectUriCallIfPresent()
and if it will be confirmed as a bug it will most likely receive a fix in next versions of the SDK.
Using the Android SDK in a confidential client setup isn't documented anywhere I could find. The necessary steps seems to be:
hasValidRedirectUrlCall()
andConnectUtils.parseAuthCode
ensures that the returnedstate
matchesconnectStore.getSessionStateParam()
, so the caller doesn't need to check thestate
in the redirect uri and in the activity result bundle.ConnectSdk.handleRedirectUriCallIfPresent()
cannot be used, as that will exchange the code for tokens. This means that thesmsBroadcastReceiver
cannot be unregistered. That seems like a bug.