Appauth-android: Session cookies with Identity Server

Created on 11 Mar 2021  路  12Comments  路  Source: openid/AppAuth-Android

Configuration

  • Version: 0.7.1
  • Integration: native, Kotlin
  • Identity provider: IdentityServer 4

Description

It appears that cookies are not stored or somehow ignored when trying to "stay logged in" and to recreate a session while using the custom tabs browser.

We are using the grant type code, with the scope "openid profile email api".
For actual authentication through the provided identity server login mask we are using the regular getAuthoriziationRequestIntent method and custom tabs.

    @TargetApi(Build.VERSION_CODES.LOLLIPOP)
    public Intent getAuthorizationRequestIntent(
            @NonNull AuthorizationRequest request) {
        return getAuthorizationRequestIntent(request, createCustomTabsIntentBuilder().build());
    }

However, when returning to the login mask after already logging in successfully, and basically telling identity server to maintain a session, it just does not remember and gives us a new session with new idrsrv.session cookie and .AspNetCore.Identity.Application cookie.
Bildschirmfoto 2021-03-11 um 09 51 08

We would expect an immediate redirect.
My understanding is, that custom tabs actually do store and use cookies, they even have shared cookie storage with chrome.
So my question would be, if there are any known pitfalls or issues, that we might be overseeing, because at this point we are kinda dumbfounded.

question waiting-for-response

All 12 comments

Your expectation is correct and in our testing there aren't any issues with the scenarios described.
Is this an issue with the chrome web browser from the store or is it an issue with a 3rd party browser using the chrome engine?

_FYI: there are newer versions of the lib available with fixes for the latest Android releases._

It was mainly tested on a Pixel 3a with Android 11, the custom tabs should be based on chrome, version 89.0.4389.90

EDIT: I guess we will double-check in the meantime with the newest version of the library.

Ran a test using the latest lib in an sdk30 emulator against https://demo.identityserver.io/ and worked fine.


auth_config.json

{
  "client_id": "interactive.public",
  "redirect_uri": "io.identityserver.demo:/oauthredirect",
  "end_session_redirect_uri":"io.identityserver.demo:/oauthredirect",
  "authorization_scope": "openid profile email",
  "discovery_uri": "https://demo.identityserver.io/.well-known/openid-configuration",
  "https_required": true
}

@agologan
In my after Entering user name and password able to login successfully. After that if I do chrome browser app force stop and swipe kill my app. Once again my app is loading chrome custom tab user credential page. Instead of reading it from cookies.

AppAuth version: implementation 'net.openid:appauth:0.8.1'

@kusumakara you need to provide more context:

  • is this your app or the demo app?
  • how long are your sessions configured?
  • are you using prompt:login forcing a re-login every time
  • is this issue experienced only on Android?
  • is this related to a specific browser?

@stelma any new discovery?

@agologan

  1. is this your app or the demo app?
    - Its our own app.
  2. how long are your sessions configured?
    - Access token will expire every 2 hours. I hope this answers your questions.
  3. are you using prompt:login forcing a re-login every time
    - We are not using prompt:login.
  4. is this issue experienced only on Android?
    - Currently we observed only on android
  5. is this related to a specific browser?
    - No. Even I tried on chrome and Samsung browser

One more observation: Once restart our application activities. AppAuth once again showing custom tab credential page. Is it AppAuth expected behavior.?

One more observation: Once restart our application activities. AppAuth once again showing custom tab credential page. Is it AppAuth expected behavior?

Not sure I understand, but AppAuth doesn't do anything on it's own. You have to trigger the AuthorizationRequest.
Could you please test your expectations in the demo app? Should bee fairly easy to set up, and give you another data point.

@agologan Below two use cases are tried on demo app:

Usecase1:
_Success scenario:_
Step1: Installed and launch the demo app.
Step2: Select Chrome custom tab option from AppAuth heuristic selection.
Step3: Checked Use PendingIntents for completion.
Step4: Click on START AUTHORISATION button.
Step5: Its Opened custom tab use credentials page. Entered user name and password field.
Step6: Successfully opened. Authorization grant page.
Step7: Click on SIGN OUT button.

After SIGN OUT:
Step8: Followed same procedure Step2 to Step4.
Observation: Now its directly opened Authorization grant page. Without asking any credentials. _As expected._

_Failure scenario:_ After SIGN OUT
Step9: Force stop the Chrome browser app.
Step10: And also swipe kill the demo app. Followed same procedure Step2 to Step4
Issue observed: Now its opened custom tab user credentials page. Instead of direct Sign In(Not loading Authorization grant page.)

Usecase2: _Device reboot case._
Failure scenario:
Step1: Installed and launch the demo app.
Step2: Select Chrome custom tab option from AppAuth heuristic selection.
Step3: Checked Use PendingIntents for completion.
Step4: Click on START AUTHORISATION button.
Step5: Its Opened custom tab use credentials page. Entered user name and password field.
Step6: Successfully opened. Authorization grant page.
Step7: Click on SIGN OUT button.
Step8: Reboot the device.
Step9: Once device Up. followed same procedure Step2 to Step4.
_Issue observed:_ Now its opened custom tab user credentials page. Instead of direct Sign In(Not lording Authorization grant page.)

From your description it just sounds like you're just using a session cookie i.e. not selecting remember me.
This scenario can also be observed on https://demo.identityserver.io/, either in the app or by just logging in the browser and then restarting it.
Alternatively you can set IsPersistent to true in your cookie configuration to always persist cookies across browser restarts.

Also, FYI from your described usecase1 sign out is not working in your integration as that should delete your cookies.

@agologan Thanks for update.
IsPersistent to true Its enabled from client side or Server side configuration. If client side means any specific API to enable it?.

IsPersistent is IdentityServer-related. Not exactly sure how it looks in IdentityServer 4 but on IdentityServer3 it was directly on the AuthenticationOptions.CookieOptions.IsPersistent
You should really discuss this with IdentityServer developers if you need further help as it's a topic on how you write and configure your service.

You should really discuss this with IdentityServer developers if you need further help as it's a topic on how you write and configure your service.

Strictly speaking, it's the feature of the ASP.NET Core cookie authentication handler, and not specifically IdentityServer.

Was this page helpful?
0 / 5 - 0 ratings