Top Picks

   
March 16, 2013

 

OAuth web flow for Android/iOS app

 

What is a portable way to retrieve an OAuth access token if the only supported flow is with HTTP redirects? For instance, I want to authorize my mobile app to access the RunKeeper API:

  1. App opens browser with address
    https://runkeeper.com/apps/authorize?client_id=…&response_type=code&redirect_uri=MY_OWN_REDIRECT_URL

  2. User clicks to allow access, gets redirected to
    MY_OWN_REDIRECT_URL?code=ONE_TIME_AUTH_CODE

  3. ???
  4. App requests the actual access token with a POST request to
    https://runkeeper.com/apps/token

    with the one-time authorization code from step 2 and the client secret

The API does not support the OAuth device profile (users returns to app manually and enters a few-digits code). I’m thinking what my options are in this case, especially since I want the user to be returned to my app immediately.


Option 1

would be a built-in web server in my mobile app combined with an in-app browser, so that I can provide an OAuth redirect URL of

http://localhost:XYZW

and catch the one-time authorization code when it arrives. But I don’t know if that will work on popular mobile platforms (Android/iOS for the moment, I found ports of the Mongoose web server for those platforms).

Option 2

Registering a custom URI scheme like

myapp-oauth-scheme://

. For RunKeeper, it seems like it will allow me to redirect to such custom schemes. And I think it’s possible to then resume my app, at least on Android/iOS, right?! What about other platforms like WP8 / BB10?

Option 3

This is the road I only want to take if really necessary: Hosting a very minimal web service that is used as OAuth redirect URL and saves any incoming one-time authorization codes. When the user is redirected, he would eventually just see a page “now please switch back to the app”, and the app would then ask the web service for the one-time authorization code it previously received.


So after all, are there any better options, and do you know which ones of those presented would work fine on Android/iOS and possibly other platforms?

BTW I have a HTML-based app (PhoneGap), so I don’t even have to use the external browser or open a separate web view.

 

Answer

You could combine options 1 and 3 for the best mix of portability and UX:

Provide an in-app web view for authentication, but instead of running a local httpd on the device, use a minimal web service for your redirect target. This way the user never leaves your app, and your landing page doesn’t need to tell them to manually return to it. Your app can retrieve the access token from your web service and close the WebView as soon as its URL changes.

Incidentally the company I work for, Temboo, has just such a minimal web service you can use instead of building and hosting your own. Check out our OAuth for RunKeeper helper. We provide a callback service you can use for the redirect url, which will store the auth token for you. We can also optionally store your RunKeeper credentials so you don’t have to distribute them with your app, and can update or invalidate them without pushing a client update.

Our Android SDK can also normalize access to the rest of the RunKeeper API for you, and 100s of other APIs too.

Professional Hosting fro Just Host

Filed under: Android Coding FAQ

Tags:

Comments

No Comments

Leave a reply