问题
Google's decision to disallow oauth via webview is causing me huge amounts of trouble. It's been a long and difficult process migrating to an alternative (I'm using the suggested AppAuth library at the moment) and I'm getting user complaints about not being able to link accounts without also adding them to chrome/their device (which as far as I can tell is now impossible without somehow forcing a private browsing session). My latest problem involves google oauth to sign into another service. Here's the scenario:
A user wants to link a 3rd party service to my application. Their account on the third party service is linked to a google account. To auth with this third party service, they must sign into their google account. The problem is that the 3rd party service only allows http:// scheme redirect URI's for their oauth, so the flow looks something like this:
- User is in my app on their android device
- User clicks a button to link their
thirdpartyaccount with my app - Using the appauth library, I launch a browser or custom tab with the oauth URL's for the 3rd party, let's just call it
http://thirdparty.com/oauth - From that page, the user clicks a "sign in to google" button, which triggers the google oauth flow, which they then follow to provide their google account token to
thirdparty - User approves access to my app with
thirdpartynow thatthirdpartyhas validated their google account thirdpartyredirects to the registeredredirect_uriwhich is then opened in the browser tab instead of redirecting back to my application.
The problem is step 6 here. Because I am required to register an http:// scheme redirect URI, the browser tab attempts to load the webpage directly, even if I have registered my app to handle that particular url. Now if it wasn't required for users to be able to sign in with google, I could easily just do this whole flow in a webview and manually trap the redirect, grabbing the token, but because thirdparty allows users to link their google account, I can't use a webview because google will block users from performing google auth in a webview, so I am forced to pass off to an app or browser tab that I don't have control over and am dependent on that behaving properly (which it often doesn't)
I did plenty of searching and it looks like App Links would solve my problem by registering my app as the primary handler for a link, but that only works in Android 6.0+, which is higher than my device minimum, so I'm at a loss as to what I'm supposed to do here.
My constraints are:
- oauth redirect must be an HTTP scheme (required by
thirdparty) - I cannot auth in a webview (required by google)
- I need my auth redirect to launch my application in order to collect the token
- I need the solution to work for all devices on android 5.0+
I have not found a single solution to this problem through hours of searching, and I have found no way to get in touch with the google oauth team to learn what their suggestions are.
Has anyone found a way to do have an http:// link launch an application without prompting the user and without requiring android 6.0?
回答1:
If you have control over the redirect URI, you can set your application to listen for it using a custom Intent Handler. This is essentially a form of Deep Linking, and should work with Android 5+, (in 6 you can even set your app as the default!).
For the data, you will most likely need to use the URI itself. But that shouldn't be too hard assuming you have control of the re-direct.
来源:https://stackoverflow.com/questions/43988942/how-can-i-redirect-users-back-into-my-app-after-google-oauth-without-using-a-web