7

We recently integrated AppAuth into our application to automate the OAuth2 authorization code flow. When user wants to login, he is first redirected to our auth server, where he proceeds with the login, and then gets redirected back to the application.

We use chrome-custom-tabs to for opening the login page (AppAuth). The problem is that it sometimes gets stuck at a blank screen (chrome tab displays just blank page without the rendered site or redirect). This happens when the user already has a session in the browser so the tab should close automatically and redirect user back to the application (authenticated). It does not behave consistently and we only experience this issue sometimes (~50/50).

I am happy to add some code but don't know where to start (trying to avoid wall of text). Is there a known issue or caveat?

We tried switching contexts as described here but kept experiencing the same issue.

Smajl
  • 7,555
  • 29
  • 108
  • 179

2 Answers2

7

Lead maintainer of AppAuth here. This is most likely happening because the authorization redirect is happening without any user interaction. Chrome enforces a policy that it will only send redirects to your app if the redirect was triggered by a user action, such as submitting a form that redirects or clicking on a link.

If the IDP you are integrating with supports it, you can pass "prompt=consent" as a parameter to force user interaction. Alternatively, you can set up an intermediary page that captures the redirect and displays a "welcome back" message, with a link or button to return to your app.

iainmcgin
  • 2,691
  • 1
  • 18
  • 24
  • 1
    Thanks for the feedback. We are experiencing this bug only when user already has a session in the browser so it makes sense that the redirect is automatic and does not need any additional user interactions in this case. We are integrating against our own custom auth server (basically vanilla Spring Boot + OAuth2, Spring security 5). I tried setting `.setPrompt("consent")` in the `AuthRequestBuilder` which inits the intent but it does not seem to do anything. – Smajl Mar 28 '18 at 07:13
  • 2
    We fixed this by implementing a custom welcome page and doing the redirect back to the application manually via a button click. Thank you for the suggestion. I was not aware of this Chrome policy before. – Smajl Mar 28 '18 at 14:56
  • So this custom welcome page is part of your website, right? And I assume it has a button clicking on which user is taken back to your application. Is thats what happening? – Shishir Shetty Jul 26 '18 at 18:51
  • Yes, exactly that: the intermediary page should be on a domain you control and used as the redirect URI. Once the redirect lands there, the parameters can be copied to a custom scheme based URI that is handled by your app, and triggered by clicking on an anchor or button. – iainmcgin Aug 14 '18 at 20:54
1

Another way is to make the user, use the login screen each time.

just add ".setPrompt("login")" to the authRequestBuilder.

so mine will be:

val authRequest = authRequestBuilder
        .setPrompt("login")
        .build()
Christian Rasmussen
  • 11
  • 1