Do not open browser

Question

Do not open browser

ravenfeld opened this issue 5 months ago · 5 comments

Configuration

Version: 0.11.1
Integration: Kotlin
Identity provider: Auth0

Description

Hi, I'd like a (public) scope not to display the browser so that retrieving the token for my api doesn't bother the user.
Is this possible with openId or do I have to code the packages myself?

Thank you in advance

Answer 1 · 2024-01-25T13:30:55.000Z

Retrieving a new token shouldn't prompt the user unless the user's session has expired.
There might be some misunderstanding here.

Answer 2 · 2024-01-25T13:34:28.000Z

Hello, no it's not that it's to ask for a 1st token I would not like to open a web view

Answer 3 · 2024-01-25T13:53:13.000Z

OIDC is a specific extension of OAuth 2.0 to authenticate and authorize users where the end-user specifically doesn't hand his credentials to the 3rd party app it authenticates in.
There is a native redirect alternative to the web browser/view where you can authenticate through an IDP by redirecting to another native app and back. (not currently supported by this lib)

If you own both the identity provider and the app, you can have your own OAuth2.0 native login but this library doesn't deal with that flow. E.g. Facebook would have it's own native login. Instagram has both a native login for legacy users and a separate IDP-based login to: Login with Facebook.

We only deal with the standard web-based auth in this library. A lot of integrators will use this flow even if they also own the IDP especially in enteprise cases. E.g. you will login with an OIDC flow in most Microsoft apps, because the Office is quite different to the Microsoft Account.

Answer 4 · 2024-01-25T14:07:17.000Z

I'm not sure I've understood everything, but what I do understand is that the lib is obliged to open a webview even if it closes directly afterwards.

Answer 5 · 2024-01-25T14:20:30.000Z

First login flow:

open app & tap login
open webbrowser
have user enter username/pass into the identity provider (be it 3rd party, Facebook, Google, Okta, etc or your own Keycloak, IdentityServer, hand-rolled code, etc)
get back token to do authenticated calls for user

App restart:

if token is still valid, just use it (no webbrowser prompt)
if token expired, have user relogin (go back to first step by having user log into the webbrowser)