When calling the token the endpoint after a picking up an authz code from the auth endpoint - the following error will crash the application. Is it required for the token endpoint to use https? Seem like it should not be required, but the error isn't too explanatory. I'm not specifying a https redirect in the AndroidManifest for the XML either.
Caused by: java.lang.IllegalArgumentException: only https connections are permitted
at net.openid.appauth.Preconditions.checkArgument(Preconditions.java:116)
at net.openid.appauth.connectivity.DefaultConnectionBuilder.openConnection(DefaultConnectionBuilder.java:51)
at net.openid.appauth.AuthorizationService$TokenRequestTask.doInBackground(AuthorizationService.java:397)
at net.openid.appauth.AuthorizationService$TokenRequestTask.doInBackground(AuthorizationService.java:375)
at android.os.AsyncTask$2.call(AsyncTask.java:287)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:305)
at java.util.concurrent.FutureTask.run(FutureTask.java:137)
at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:230)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1076)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:569)
at java.lang.Thread.run(Thread.java:856)
Version: appauth:0.7.0
@iainmcgin Have you seen this error before?
Actually, it looks like this is a default for production, is there an example of how to configure AppAuth to allow it to use a HTTP token endpoint for local tetsing?
I am seeing the same error. Is there an alternative?
I am facing this issue too. Can this check be disabled for DEBUG/Localhost
You can use an alternative ConnectionBuilder that permits whatever URLs you like; there is an example of this in the demo:
This implementation allows http links and also ignores certificate warnings. Of course this should not be used for production, but is fine for testing. Custom connection builders are provided via an AppAuthConfiguration instance that is provided to AuthorizationService, e.g:
I have a question: My manager wants me to use this approach on production. The reason is that in the time of authentication both the server and app would be connected via VPN. Would this approach be safe or is it susceptible to attacks?
Какие атаки,? Я чайник в этих делах! Так что промазали
On Wed, Sep 25, 2019, 11:13 Jan Malek notifications@github.com wrote:
I have a question: My manager wants me to use this approach on production.
The reason is that in the time of authentication both the server and app
would be connected via VPN. Would this approach be safe or is it
susceptible to attacks?—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/openid/AppAuth-Android/issues/266?email_source=notifications&email_token=AF2X4GJX42VWFA35RBSFQ2TQLMMTLA5CNFSM4DZ7IVW2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD7RAS2Y#issuecomment-534907243,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AF2X4GMDU5BT4AHYNZB3S3TQLMMTLANCNFSM4DZ7IVWQ
.