/android-oauth-biometrics

🔐 A proof-of-concept application to log into an example Auth0 instance with a PKCE flow and allow secure retrieval of the access and refresh tokens with biometrics

Primary LanguageKotlinMIT LicenseMIT

Android OAuth with Biometrics

🔐 A proof-of-concept application to log into an example Auth0 instance with a PKCE flow and allow secure retrieval of the access and refresh tokens with biometrics

Login, reauthentication with biometrics, and logout flows

Features:

  • Login + logout flows with an OAuth provider
  • Store credentials in secure storage with hardware-backed cryptography
  • Graceful handling of devices that lack hardware-backed cryptography features
  • Intelligent selection of the best available cryptography + biometrics for enhanced security based on API level and available hardware
  • Reauthenicate back into an account with biometrics
  • Graceful handling of devices which have biometric capabilities, but no enrolled biometrics
  • Network stack automatically injects the acccess token into the necessary API calls
  • Auto-refresh of the access token
  • Auto-logout when the refresh token is invalidated
  • Identification of what kind of secondary authentication mechanisms are available on the device
  • Showing what kind of secondary authentication was used

Here are some useful sources that I consulted before building this project:

Setup an Auth0 Account

Since this project requires an OAuth IDP to run, follow these steps:

  1. Create a free Auth0 account
  2. Once you have created an account, create a tenant (which can be thought of as a new project)
  3. Inside of the newly created tenant, create a new application by going to the navigation panel > Applications > Create Application > Native
  4. Open up your new application and make a note of the Client ID and the Domain under the Settings tab
  5. On the same tab, add com.oliverspryn.android.oauthbiometrics://oauth/login to the Allowed Callback URLs list
  6. Add com.oliverspryn.android.oauthbiometrics://oauth/logout to the Allowed Logout URLs list
  7. Create a user for your testing purposes by going to the navigation panel > User Management > Users > Create User

Run the Project

Once the OAuth tenant, application, and user account are setup, you can incorporate them into this project:

  1. Clone the project
  2. Open up app/build.gradle
  3. Change the OAUTH_CLIENT_ID and OPENID_CONFIG_URL to the values you found in the Auth0 management portal
  4. Configure CryptographyConfig.ALLOW_DEVICE_CREDENTIALS_AS_SECONDARY_LOGIN to allow or disallow PIN/pattern/etc as an additional secondary login option