Friday, 1 February 2019

How to implement OAuth single Sign In/Sign Out with Chrome Custom Tabs

I am attempting to implement OAuth single sign in/ sign out in my current Android application.

I am using Chrome Custom Tabs

 implementation 'com.android.support:customtabs:28.0.0'

Sign in works fine, Chrome Custom tabs store the users cookies and all sign in flow work is as expected.

New Sign In:

  1. Clearing Chrome cookies
  2. Clearing App storage
  3. The Android app loads the Sign In URL with a Chrome Custom Tab
  4. The user has to enter user name and password
  5. Redirect URL with custom scheme "call backs" to my Android app and I receive a valid Access Token.

Subsequent Sign In:

  1. The App loads the Sign In URL with a Chrome Custom Tab
  2. The Chrome Custom Tabs user cookies are employed, to "silently Sign In" the user.
  3. The user enters the Android application

I am having an issue with Signing out.

When the user clicks on the Sign Out button within my application, The app loads the sign out URL via a custom Chrome Tab but it gets "stuck". The screen the user sees is a blank white screen.

I believe this is due to the security constraints of Chrome Custom Tabs mentioned in this SO question CCT get stuck...

more precisely this statement:

Chrome enforces a policy that it will only send redirects to your app if the redirect was triggered by a user action, such as submitting a form that redirects or clicking on a link.

What I am seeing is that our users can always log in silently with no issues even though there is no User Interaction, Where as when we try to load the sign out URL with a CCT we always get "STUCK" on a blank CCT page.

What I do not understand is why the Silent Sign In works and the "programmatic" Sign Out doesnt work, while neither of them have any user interaction involved.

If I had to guess, I'd say the Sign In works as the CCT detect the User Cookies and accepts that these can only have been stored with associated User Interaction.

Where as the Sign Out doesnt have any user interaction at all.

How can I resolve my CCT Sign Out issue?

Will I need to load a URL to a web page that hosts a Sign Out button?



from How to implement OAuth single Sign In/Sign Out with Chrome Custom Tabs
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)