Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-11070

Need OAuth2 authentication to work in Android with implied consent

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 13.5.0, 14.1.1, 14.5.0
    • Fix Version/s: 13.5.2, 14.5.0
    • Component/s: XUI
    • Labels:
    • Environment:
      Android OS 4.1 and higher and Chrome 40 and higher.
    • Sprint:
      Sprint 125 "Fu" Turing, Sprint 126 "Gauguin" Turing
    • Needs backport:
      Yes
    • Support Ticket IDs:
    • Verified Version/s:
    • Needs QA verification:
      Yes
    • Functional tests:
      No
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      OAuth 2.0 Authentication on an Android device is fails with implied consent.

      Steps to Reproduce

      1. Follow general setup from quick start guide found here: https://backstage.forgerock.com/docs/am/5.1/quick-start-guide
      2. Create a new realm called `TEST`
      3. Add a new 'OAuth2 Provider' service
        1. Enable the 'Allow clients to skip consent' option
      4. Add a new 'Oauth 2.0/OpenId Connect Client' agent, with name 'client'
        1. Add the following redirect_uri: market://details?id=com.google.android.apps.maps
        2. Add the scope 'openid'
        3. Enable the option 'Implied Consent'
      5. Add a new subject to the realm with username 'test' and password 'password'

      Then to reproduce using the above config:

      1. In the chrome browser of an android device navigate to:
        1. http://openam.example.com:8080/openam/oauth2/TEST/authorize?client_id=client&response_type=code&scope=openid&redirect_uri=market://details?id=com.google.android.apps.maps
        2. http://openam.example.com:8080 should be replaced with your openam instance
      2. Login with the user added in step 5 of the config (test:password)

      N.B. This can easily be tested locally with your machine and Android device on the same network, the Android device being proxied through your machine to ensure hostnames map correctly.

      Expected Behaviour
      You are redirected to the google maps app in the play store (See screenshot ExpectedResult.png)

      Actual Behaviour
      You are presented with ERR_UNKNOWN_URL_SCHEME error (See screenshot ActualResult.gif)

      Workaround
      Custom url scheme is working by disabling implied consent, with the additional consent screen in place redirect back to the mobile app works.

      Original Description
      OAuth2 for authentication on an android device is failing with implied consent.
      1) Open a chrome custom tab with the OAuth2 endpoint to retrieve the authorization code
      2) OpenAM redirects back to the mobile app using a custom url scheme providing the app with the authorization code as a url parameter.
      3) The mobile app then sends a request to our backend which uses the authorization code to retrieve the access_token.

      Step 2 is failing with the ERR_UNKNOWN_URL_SCHEME error when enabling implied consent.

      Custom url scheme is working by disabling implied consent, with the additional consent screen in place redirect back to the mobile app works.

        Attachments

        1. ActualResult.gif
          3.76 MB
          Kamal Sivanandam
        2. ExpectedResult.png
          965 kB
          Kamal Sivanandam
        3. LoginHelper.js
          3 kB
          Kamal Sivanandam
        4. RESTLoginView.js
          25 kB
          Kamal Sivanandam
        5. Sep-05-Nightly.png
          336 kB
          Kamal Sivanandam

          Activity

            People

            • Assignee:
              phil.ostler Phil Ostler [X] (Inactive)
              Reporter:
              kamal.sivanandam@forgerock.com Kamal Sivanandam
            • Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: