6

I'm in the process of implementing SSO on an Android app in which we're using Okta for the identity management while in development. We have Okta set up so that, after the a successful user/password authentication, the user only has to validate their password on subsequent logins.

I'm using Chrome Custom Tabs to open the browser url and have set up the correct intent-filter configuration in my AndroidManifest.

The issue that i'm having is that the initial auth screen does not redirect back into the app and I get the ERR_UNKOWN_URL_SCHEME error page. However, when authenticating from the password validation screen, the app scheme is recognized and the user is redirected back into the app.

Also note: from the ERR_UNKOWN_URL_SCHEME error page, if I select "Open in Chrome", the app picks up the redirect and I'm put back into the app. Which leads me to believe this may be a Custom Tabs issue.

The code to launch Chrome Custom Tabs looks like the following:

    CustomTabsIntent customTabsIntent = new CustomTabsIntent.Builder(mCTSession)
            .setToolbarColor(ContextCompat.getColor(mContext, R.color.colorPrimary))
            .setStartAnimations(context, R.anim.slide_in_right, R.anim.slide_out_left)
            .setExitAnimations(context, android.R.anim.slide_in_left, android.R.anim.slide_out_right)
            .build();
    customTabsIntent.intent.setFlags(Intent.FLAG_ACTIVITY_NO_HISTORY | Intent.FLAG_ACTIVITY_NEW_TASK);

    if (android.os.Build.VERSION.SDK_INT >= android.os.Build.VERSION_CODES.LOLLIPOP_MR1) {
        String referrer = Intent.URI_ANDROID_APP_SCHEME + "//" + packageNameToUse;
        customTabsIntent.intent.putExtra(Intent.EXTRA_REFERRER, Uri.parse(referrer));
    }

    customTabsIntent.launchUrl(context, Uri.parse(fixedUrl));

I know that a similar issue was reported in an older version of CCT, but that issue seems to have been patched.

Has anyone else experienced this particular issue?

Adding images of the actual auth pages for reference ...

The initial user/password screen (Not Working):

Initial Okta user/password screen

Password validation only screen (WORKS!):

enter image description here

SBerg413
  • 14,046
  • 6
  • 55
  • 87
  • I know I'm late to the party but, were you able to figure it out? I'm actually in the process of developing a PKCE android app demo and am also using Okta for identity and am precisely at the point where I need to intercept somehow the returned code. The thing is that if I provide the Okta login service with an redirect_uri that isn't an actual http://.... type uri it gives me an incorrect uri provided error: -- The 'redirect_uri' parameter must be an absolute URI that is whitelisted in the client app settings. -- This happens when I use the com.one.two type of uri. – Raul Marquez Jun 12 '20 at 00:55

1 Answers1

1

Even if the problem looks different, it can be solved following the instructions here: https://github.com/iainmcgin/AppAuth-Demo

The relevant part is the use of an "interstitial page" to be used as redirect URI from the auth flow. The code for the page is https://appauth.demo-app.io/oauth2redirect, and you have to change the redirectUri js variable to your app uri (the original redirect URI intercepted by the app)

For reference, I originally found the solution here: "Navigation is blocked" when redirecting from Chrome Custom Tab to Android app

gmlion
  • 308
  • 1
  • 10