Hi!
When the user doesn't have the Chrome app the Custom Tab will open the browser by default making the application UI ugly in my opinion. Is there a chance that I can open the login url on a webview? I know that the instructions says no but I still want to know if there's a chance.
This is not something we wish to do I'm afraid. WebView isn't great from a usability and security standpoint. The good news is that Chrome is on a whole lot of devices. You can watch my presentation on this topic, for a bit more background.
Regarding the "ugliness" of switching to the browser, I agree it's not perfect, but compare these two options:
I would suggest that the usability improvements of SSO with option 1 outweigh the UI drawbacks giving an overall better UX. Remember that that all users with Chrome, or any browser that supports Custom Tabs, will get the perfect combination of a nice UI _and_ the potential to already be signed-in.
+1
On Jun 25, 2016, at 3:04 AM, William Denniss [email protected] wrote:
This is not something we wish to do I'm afraid. WebView isn't great from a usability and security standpoint. The good news is that Chrome is on a whole lot of devices. You can watch my presentation http://youtube.com/watch?v=DdQTXrk6YTk on this topic, for a bit more background.
Regarding the "ugliness" of switching to the browser, I agree it's not perfect, but compare these two options:
- User sees an "ugly" switch to the system browser, but they are already logged in and can approve/reject the request with a single tap.
- User gets a "beautiful" custom UI (via WebView), but they have to login from scratch, potentially with a second factor like SMS, before they can approve/reject the request.
I would suggest that the usability improvements of SSO with option 1 outweigh the UI drawbacks giving an overall better UX. Remember that that all users with Chrome, or any browser that supports Custom Tabs https://github.com/GoogleChrome/custom-tabs-provider, will get the perfect combination of a nice UI and the potential to already be signed-in.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub https://github.com/openid/AppAuth-Android/issues/87#issuecomment-228517846, or mute the thread https://github.com/notifications/unsubscribe/AAD4J_Rk2lQAMdcTnMScKwSXWCUeIK6xks5qPNMXgaJpZM4I-H3n.
If I wanted to use a WebView and yout library as well, where should I start?
If I were doing it, I would make an Activity which emulates a browser - accepts a URL in the intent data and creates a full-screen WebView with that URL and some basic window decoration to cancel the action. Then either with some modifications to BrowserPackageHelper or AuthorizationService, create an Intent for your browser emulating activity if no browsers with custom tab support are available.
Thanks! I already made the activity! Now that I have the authorization code how can I interact with the library and make the request for receiving the token? Or I just do a separate request and get the id_token, access_token and refresh_token and only then interact with the library? I need to know if there's a way so that the library can save this token so that I could use this while the user is using another activities
You can construct your own AuthorizationResponse object using the data you acquired from your webview activity. If you have the captured redirect URI, and it is not an error response, you can do:
AuthorizationService service = new AuthorizationService(context);
AuthorizationResponse response = new AuthorizationResponse.Builder(request)
.fromUri(redirectUri)
.build();
AuthState state = new AuthState(response, null);
TokenRequest tokenRequest = response.createTokenExchangeRequest();
mAuthService.performTokenRequest(
tokenRequest,
state.getClientAuthentication(),
new AuthorizationService.TokenResponseCallback() {
public void onTokenRequestCompleted(TokenResponse response, AuthorizationException ex) {
// handle token response...
}
});
Essentially, you can get to the point where you have an AuthState object that contains the refresh token and access token you want, at which point everything else will work the same as if you had performed the authorization request via a custom tab.
Thanks a lot! One question, what's the "request" object? On the second line you showed me:
AuthorizationResponse response = new AuthorizationResponse.Builder(request)
An AuthorizationRequest object, that describes the request you made to the authorization endpoint.
I have create a library for that ,
Check it here