15

We have an application for embedded Android-based device, it uses WebView and inside it we use Google OAuth 2 to login to the app. Unfortunately Google will soon block OAuth 2 inside WebView, and we have lots of restrictions:

  • The device doesn't have Google Services installed, so probably no 'official' way of logging in would work (or maybe any of them would work without Google Services?)
  • We can't just invoke Android browser to do login, because it shows address bar, which would allow the user to surf the internet, which we can't allow
  • We don't fully control the software installed on the device: can't install Google Services, update Android version, install Google Chrome, etc..., we can just update our app.

What else could we do having those restrictions?

iirekm
  • 8,890
  • 5
  • 36
  • 46
  • Your app requires users to authorize it to access their own resources? If not, then you probably don't need OAuth. Oauth is NOT authentication – pinoyyid Mar 22 '17 at 22:23
  • Unfortunately those are our client's requirements, they have google apps accounts we must use for authentication. – iirekm Mar 23 '17 at 09:13
  • Be clear, OAuth is not authentication. Google's authentication requires at least a web browser (more for 2FA), there is no way around that. – pinoyyid Mar 23 '17 at 09:22
  • Did you try using the oauth flow for TVs and embedded devices? take a look here: https://developers.google.com/identity/protocols/OAuth2ForDevices – Fco P. Apr 03 '17 at 14:45

4 Answers4

2

Implementation through a browser:

1) Register custom URI scheme (How to implement my very own URI scheme on Android), for example, app-oauth2://

2) Make access request in user's browser

https://accounts.google.com/o/oauth2/v2/auth?
scope=...
access_type=offline&
include_granted_scopes=true&
state=state_parameter_passthrough_value&
redirect_uri=http://example.com/oauth2-handler&
response_type=code&
client_id=...

3) If user accept or denied requested rights in the confirmation dialog, it will be redirected to redirect_uri (http://example.com/oauth2-handler) with some params

4) On the side of redirect_uri handler (http://example.com/oauth2-handler), mare a redirect to custom URI scheme with params:

  • Success: app-oauth2://?state=state_parameter_passthrough_value&code=...&scope=...#
  • Failure: app-oauth2://?error=access_denied&state=state_parameter_passthrough_value#

5) In your app you can parse URI scheme app-oauth2:// from option 4 and receive the code for future usage or error for displaying to the user.

Community
  • 1
  • 1
cetver
  • 11,279
  • 5
  • 36
  • 56
1

As per the problems on your side it would be best to open an Intent from within the App targeted towards the sign in Weburl [this won't trigger up address bar link]

Refer to this stackOverflow page how to open "Add a Google Account" activity using intent?

now you may use Shared preferences to store the Authentication data for further logins [ if the requirements of the app permits it.]

https://developer.android.com/reference/android/content/SharedPreferences.html

Community
  • 1
  • 1
Aloy A Sen
  • 764
  • 5
  • 9
0

You need to use OAuth Web services for implementing a solution based on your needs.

Reference link: https://developers.google.com/+/web/api/rest/oauth

Here is a sample github project that is using OAuth 2 web service for logging into Twitter. You can take help from it for consuming the Google's OAuth2 web services in your Android Application.

Repository link:
https://github.com/sathify/tagpulse

Web service consumption screen link: https://github.com/sathify/tagpulse/blob/master/android/src/tag/pulse/main.java

I hope this helps.

Salman Khakwani
  • 6,684
  • 7
  • 33
  • 58
0

There is a library that supports Android 1.5 and higher for Google OAuth 2:

Sample code found here:

https://github.com/google/google-api-java-client-samples/blob/master/oauth2-cmdline-sample/src/main/java/com/google/api/services/samples/oauth2/cmdline/OAuth2Sample.java

Chester Cobus
  • 701
  • 4
  • 12