Getting Exception for AuthorizedRequest,

Exception:
08-18 20:47:16.902 20347-20419/com.okta.appauth.android.example E/OktaAppAuth: Exception when adding authorization header to request
java.io.FileNotFoundException: http://XXXX.XXX.XXX.XX:8000/api/data at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:254) at com.okta.appauth.android.OktaAppAuth$9.run(OktaAppAuth.java:624) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:428)at java.util.concurrent.FutureTask.run(FutureTask.java:237)at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607) at java.lang.Thread.run(Thread.java:762)

Method:

           private void callMessagesApi() {
           Log.i(TAG, "mOktaAppAuth Log :" + mOktaAppAuth);
           mOktaAppAuth.performAuthorizedRequest(new OktaAppAuth.BearerAuthRequest() {
           @NonNull
           @Override
            public HttpURLConnection createRequest() throws Exception {
             try {
                 final URL myUrl = new URL("http://XXXX.XXX.XXXX.:8000/api/data");
                 HttpURLConnection conn = (HttpURLConnection) myUrl.openConnection();
                 conn.setInstanceFollowRedirects(false); // recommended during authorized calls
                 return conn;
             } catch (MalformedURLException e) {
                 Log.i(TAG, e.getLocalizedMessage());
             }
             return null;
         }

        @Override
        public void onSuccess(@NonNull InputStream inputStream) {
            myDataString=inputStream.toString();
            runOnUiThread(() -> displayAuthorizationInfo());

        }

        @Override
        public void onTokenFailure(@NonNull AuthorizationException e) {
            // Handle failure to acquire new tokens from Okta
        }

        @Override
        public void onFailure(int i, Exception e) {
            // Handle failure to make your authorized request or a response with a 4xx or
            // 5xx HTTP status response code
        }
    });

}

Steps to recreate the issue:

1. Create a new Sample Project in Android studio 3.2.1. with minSDK 19 and targetSDK 28 with an empty activity.
2. The app will compile and run at this stage.
3. Add implementation 'com.okta.android:appauth-android:0.1.0' in app module's build.gradle
4. Will get an error under the appcompact library stating multiple play service modules issue.

Please see the screenshot attached below.

Right now we send "X-Okta-User-Agent", but we should use "User-Agent" to be consistent with other libraries have have the ability to use this header.

When I run the demo the logout button takes me back to the initial screen but when I click Authenticate it passes straight through the chrome tab to the authorized page, i.e. doesn't ask me to enter my username/password again.

This is a feature request to allow an arbitrary ConnectionBuilder to be provided. There are a couple spots where this is used.

• DefaultConnectionBuilder.INSTANCE is used as part of the AuthorizationServiceConfiguration.fetchFromUrl call.
• AppAuthConfiguration.Builder() will use it by default, thus used as part of the createAuthorizationService call.
• Anything that uses URI openConnection (instead of ConnectionBuilder openConnection)

end_session_redirect_uri is now mandatory since 0.2.0? I am getting the crash when the app init the OktaAppAuth.

After #37 is done, we need to build a sample app (like #30) that uses the new functionality we added to our library.

I've created this repo as a place for official Android samples: https://github.com/okta/samples-android

Some customers can't use the AppAuth pattern (opening a browser and handling a callback to the app) because they want to have complete control over the UI/UX of the login experience. In other words, they want to have a totally native, in-app UI for login. The SDK will need a number of improvements to support this.

Before building the full solution, we should build a demo to validate that the proposed flow against Okta makes sense. This demo does not need to use the existing SDK.

Here is the login flow:

1. Use an HTTP client to POST to the Authentication API. Send a username and password to perform primary authentication. The Authentication API will return a sessionToken.
2. Construct a request for the Authorization Code + PKCE flow. Include an optional parameter: &sessionToken= with the value of the sessionToken from the Authentication API response. Include scope offline_access to request a refresh token.
3. If the response has HTTP status code 302, parse the response headers to get the code from the Location header: {redirectUri}?code=foobar
4. Construct the code exchange request to get access, ID, and refresh tokens in the app.

This SDK needs the ability to revoke access and refresh by calling the revoke endpoint.

Like the iOS SDK (https://github.com/okta/okta-sdk-appauth-ios#revoke-a-token), we can model this as a method that revokes any token, and then build another method on top of that to sign out locally.

End session

In order to perform end session within user's current browser and perform logout you have to call signOutFromOkta() whenever you are ready

// LoginActivity.java

public class UserInfoActivity extends Activity {

private void signOutFromOkta() {
    Intent completionIntent = new Intent(this, LoginActivity.class);
    Intent cancelIntent = new Intent(this, UserInfoActivity.class);
    cancelIntent.setFlags(Intent.FLAG_ACTIVITY_CLEAR_TOP);

    mOktaAuth.endSession(
            this,
            PendingIntent.getActivity(this, 0, completionIntent, 0),
            PendingIntent.getActivity(this, 0, cancelIntent, 0)
    );
}

}

The Read me containing the information on end session is showing an outdated code snippet. Currently the logout is the only method. mOktaAuth.logout();

public void logoutCurrentUser() {
    if (null != mOktaAuth && mOktaAuth.isUserLoggedIn()) {
        Log.e(TAG, "logoutCurrentUser: User logged out");
        mOktaAuth.logout();
    }
}

Steps to reproduce:

1. Login to an OKTA account using login(context, positiveTarget, negativeTarget);
2. logout the account using the logout() method;
3. follow (1) again

On doing step 3, the OAuth browser is shown momentarily and then redirection to positiveTarget is done.

We should probably make JsonParser package private to not expose this class?

I've implemented the logins through Android. Once I've gone through to the authorized activity, how do I get the token string ?

I have implemented the same workflow as suggested in Readme
After a successful login. I am able to get access token, refresh token and all other data from oktaAuth.
After closing the app (App is in the background) the OktaAuth returning user is logged in. But after killing the app from the task. OktaAuth is not returning userloggedIn.
Init okta by :
mOktaAppAuth = OktaAppAuth.getInstance(this)

The README should also be updated with instructions about how to add it to your projects.

The SDK should provide a method to easily do the flow described in #30.

First, the Java Authentication SDK needs to be a dependency of this library. If this causes any dependency issues, we'll work with @bdemers to solve them.

Then, this library must expose a method to start a sign-in request and pass the username/password directly. I'd like to use a builder pattern here (maybe signinRequestBuilder?). Starting the request will kick off the flow described in #30. This will result in one of two things:

1. Login was valid and resulted in tokens. Like the existing login method, this should automatically store the tokens. Provide a callback so the developer can choose to navigate to a completion intent.
2. The transaction response did not contain status SUCCESS, or some other error occurred (e.g., network error). Provide a callback with an error object containing a string error message (we will add more information to the error object later).

The result is that a developer can build their own native sign-in UI, use this new method to perform the sign-in flow (with no browser popup), and store tokens on the device.

is there a way to do a native flow, I mean to have my own screen to input the email/password and send it to an endpoint to get the token? I've seen that the iOS counterpart of this SDK have implemented that approach but I can't find it here.

Probably not an issue but I didn't know where else to ask.
Thanks.

Something red appears on my logcat when launching this:

val completionIntent = Intent(this@LoginActivity, MainActivity::class.java)
            val cancelIntent = Intent(this@LoginActivity, LoginActivity::class.java)
            cancelIntent.flags = Intent.FLAG_ACTIVITY_CLEAR_TOP

            mOktaAuth.login(this@LoginActivity,
                    PendingIntent.getActivity(this@LoginActivity, OKTA_REQUEST_CODE, completionIntent, 0),
                    PendingIntent.getActivity(this@LoginActivity, OKTA_REQUEST_CODE, cancelIntent, 0)

The authentication seems to work fine tho.
Error:

02-20 17:08:47.153 7647-7647/it.projector.lamba.projector E/ActivityThread: Activity it.projector.lamba.projector.activities.LoginActivity has leaked ServiceConnection net.openid.appauth.browser.CustomTabManager$1@8c5b0a that was originally bound here
                                                                            android.app.ServiceConnectionLeaked: Activity it.projector.lamba.projector.activities.LoginActivity has leaked ServiceConnection net.openid.appauth.browser.CustomTabManager$1@8c5b0a that was originally bound here
                                                                                at android.app.LoadedApk$ServiceDispatcher.<init>(LoadedApk.java:1532)
                                                                                at android.app.LoadedApk.getServiceDispatcher(LoadedApk.java:1424)
                                                                                at android.app.ContextImpl.bindServiceCommon(ContextImpl.java:1605)
                                                                                at android.app.ContextImpl.bindService(ContextImpl.java:1557)
                                                                                at android.content.ContextWrapper.bindService(ContextWrapper.java:684)
                                                                                at android.support.customtabs.CustomTabsClient.bindCustomTabsService(CustomTabsClient.java:70)
                                                                                at net.openid.appauth.browser.CustomTabManager.bind(CustomTabManager.java:95)
                                                                                at net.openid.appauth.AuthorizationService.<init>(AuthorizationService.java:113)
                                                                                at net.openid.appauth.AuthorizationService.<init>(AuthorizationService.java:91)
                                                                                at com.okta.appauth.android.OktaAppAuth.createAuthorizationService(OktaAppAuth.java:549)
                                                                                at com.okta.appauth.android.OktaAppAuth.recreateAuthorizationService(OktaAppAuth.java:540)
                                                                                at com.okta.appauth.android.OktaAppAuth.doInit(OktaAppAuth.java:430)
                                                                                at com.okta.appauth.android.OktaAppAuth.access$000(OktaAppAuth.java:69)
                                                                                at com.okta.appauth.android.OktaAppAuth$1.run(OktaAppAuth.java:157)
                                                                                at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:457)
                                                                                at java.util.concurrent.FutureTask.run(FutureTask.java:266)
                                                                                at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1162)
                                                                                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:636)
                                                                                at java.lang.Thread.run(Thread.java:764)

Please include this feature as you have in iOS and JS...

Remove after deprecating in #40

After #47, define a method signOut() that:

1. Discards tokens in the tokenManager
2. Revokes access and refresh tokens

We should give developers the ability to skip (2) if they do not want to incur a network request. However, the default should be true (revoke).

Note that the user may have an access token and may have a refresh token, but they will not always have one or both. This method must check to see whether either of those token types are stored, and revoke them if they exist and if the developer did not pass a parameter to disable revocation.

This matches the design for okta/okta-oidc-ios#89

Soon we'll tackle this requirement:
As a developer building an app, I want to sign the user in and then store their refresh token and enroll a fingerprint so they can log in next time with only a fingerprint swipe.

I'd like to do some initial investigation of the best way to make this easy to do using this library and the native Android APIs.

We currently provide a way to make an authorized call with performAuthorizedRequest(), but there is no way to get the access token so you can use it with your own HTTP code. Questions to investigate:

• Should we add a method or property to expose the access token?
• Is that compatible with the patterns developers use in modern Android apps, like Retrofit?

This part of the readme is extraneous:

Note: As with any Okta application, make sure you assign Users or Groups to the application. Otherwise, no one can use it.

The Add Application wizard automatically adds the Everyone group to new applications, so it's not something a first-time dev needs to worry about. We should either:

• Update the note to mention that this is already done for you 👍
• Remove the note

Steps to recreate the issue:

1. clone the repo using git clone https://github.com/okta/okta-sdk-appauth-android.git
2. Open the project in Android Studio 3.2.1
3. Clean and Build the project
4. The issues are appearing with respect to missing classes in, net.openid.appauth package. Attached error.txt file having all the details. the library module completely fails to compile.
   error.txt

I doubt weather this sample is in runnable state for devs to test a basic implementation.

Why is old google libraries used? With the new compileSDK and targetSDK updates and requirements using 27.1.1 is not a good idea.

Screenshot:

Verify that this SDK sends a User-Agent header whenever it:

• Retrieves the OpenID Connect metadata document (/.well-known/openid-configuration)
• Exchanges an authorization code for tokens, for both browser or native sign-in

The value of the header must be:

User-Agent: okta-sdk-appauth-android/{version} {osVersion} {deviceInfo}

The SDK may already be doing this in all cases, but I want to double check 🙂

More info can be found here: https://oktawiki.atlassian.net/wiki/spaces/PM/pages/237672215/User-Agent+and+X-Okta-User-Agent-Extended

Testing #8 has been difficult. We need a test harness that reliably reproduces the issue and can be used to test various configurations (or page content) to see if they work.

It would be great to be able to configure the client programmatically instead of using the json config file. I checked the code and I think it's not possible at the moment. OAuthClientConfiguration should have a constructor (or builder pattern) to set the parameters (mClientId, mRedirectUri, etc) in code.

After #39, we should extend the sample app (with UI) that can do password reset in addition to primary authentication.

I was able to checkout the code, populate the values in:
..\okta-sdk-appauth-android\app\src\main\res\raw\okta_app_auth_config.json

When I launch the app, my breakpoint lands LoginActivity's mOktaAppAuth.init()'s onTokenFailure(@nonnull AuthorizationException ex)

Inside the AuthorizationException, the errorDescription = "Invalid discovery document"

In detail, it looks like this AuthorizationException: {"type":0,"code":0,"errorDescription":"Invalid discovery document"}

What do I need to do to get my OktaAppAuth instance initialized?

com.okta.sdk and com.okta.authn.sdk which we are going to use during "native" login, use streams API from Java 8.
This fact only allows using these libraries on Android API 24+
These libraries will not work on Android API < 24

We have a redirect issue, probably related to the one already discussed in your archived repo: oktadev/okta-openidconnect-appauth-android#2

Any news, fixes or workarounds on this one? We have created two apps in the Okta system (one for development purposes and one for production). Connecting to the development app, the redirect seems to work just fine, but when we change the Okta settings inside our Android app and want to connect to the production app the redirect is failing (Logcat error: "chromium: [INFO:CONSOLE(0)] "Navigation is blocked: com.oktapreview.dev-233232:/callback?....").

We are using the same redirect url for both Okta apps, but this cannot be the reason for this issue, can it?

Updating to version 0.2.0 has broken the login flow for our existing project. In debugging, it looks like it gets to the step where it should launch AuthorizationManagementActivity but nothing happens. I don't see any errors or any additional info in the logs to help troubleshoot.

This is the line in AuthorizationService where it trails off:
this.mContext.startActivity(AuthorizationManagementActivity.createStartIntent(this.mContext, request, authIntent, completedIntent, canceledIntent));

The last log message is "Warming up browser instance for auth request" but nothing actually appears to happen in the app.

Currently, this repo contains both the SDK and a demo app. This gets a little confusing because it's hard to tell how they are separated. We are publishing https://github.com/okta/samples-android soon, which will be a clear home for all samples going forward.

We should:

• Determine what a good test harness looks like in this repo
• Remove everything else sample-related

Please collaborate with @FeiChen-okta to determine the best way to do this.

It adds unnecessary complexity for managing login hint. It will be much easier if we can provide login hint as a parameter to login() method.

When AppAuth supports logout, we'll support it in this library (#17). In the mean time, it would be useful to have the option to forcibly ignore whether the user already has a session on the server (adding the prompt=login parameter on the /authorize request).

We should add a boolean forceLogin parameter to the login() method.

Could be argued a down stream bug but got into a situation where OktaAppAuth.refreshAccessToken(OktaAuthListener) was called even though the user had no refresh token. In other libraries that do these types of guards the listener is still called at some point.

mInitializationListener is set in OktaAppAuth#init, but never cleared (for instance, OktaAppAuth#dispose doesn't clear it).

It's possible to leak this if something else long lived also holds onto the OktaAppAuth reference.

The sample app leaks LoginActivity as the listener that's registered in initializeOktaAuth contains an implicit reference to LoginActivity.

I've been trying to get version 0.2.1 logout (signOutFromOkta) working and I've run into troubles. Is this supposed to be working in this version?

Here are my two trouble cases:

1. The user is not logged in. In this case, the user logs in (successfully). When they go to logout, instead the browser sends them through the login process again, automatically passing them forward to the logged in activity again. It appears to never reach the logged out redirect.
2. The user is logged in, then clear the browser cache. The user is able to log out (successfully). However when they go to log in again, it instead sends them to the log out route and they are unable to login again. It appears to be never reach the logged in redirect.

This library currently returns user info as a JSONObject. We should investigate whether a better interface would be more helpful.

Working with a client who needs to provide values through State. Did not see a way to define this as OktaAppAuth line 487 does not expose the builder.

Will be opening a PR for inclusion and would be grateful for feedback and if there is enough value to include.

Currently, SDK has direct dependencies on AppAuth-Android dependencies like:
net.openid.appauth.AuthorizationException
so users do not need to specify dependency to AppAuth-Android in their build.gradle after moving to gradle 4.6 and implementation dependency scope.

I have my Setup configured exactly as the readMe says and I am calling this:

    mOktaAuth!!.login(
            this,
            PendingIntent.getActivity(this, 0, completionIntent, 0),
            PendingIntent.getActivity(this, 0, cancelIntent, 0)
    )

I am instead getting a response in the logs that says:

2018-12-13 10:40:18.520 9573-9573E/OktaAppAuth: Failed to retrieve discovery document
AuthorizationException: {"type":0,"code":3,"errorDescription":"Network error"}

After doing a network trace it reveals that the network request comes back correctly with a 200 response. What is going wrong?

We need to fix the build lint/warning, looks pretty minor:

./gradlew lintDebug

> Configure project :app
WARNING: The option setting 'android.enableUnitTestBinaryResources=true' is experimental and unsupported.
The current default is 'false'

WARNING: Configuration 'compile' is obsolete and has been replaced with 'implementation' and 'api'.
It will be removed at the end of 2018. For more information see: http://d.android.com/r/tools/update-dependency-configurations.html

> Configure project :library
WARNING: The option setting 'android.enableUnitTestBinaryResources=true' is experimental and unsupported.
The current default is 'false'

Because developers may need to pass additional parameters to the /authorize route in the future, we should move to a builder pattern for starting a browser sign-in request. The builder can optionally accept:

• A login hint (the login_hint parameter)
• A state value (string)
• Any string name/value pair

Sweep through readme and code to make sure labels and placeholders follow the pattern here: https://oktawiki.atlassian.net/wiki/spaces/UX/pages/470681125/Developer+Experience+-+Okta+Domain+Labels

• https://{yourOktaDomain} (not https://{yourOktaDomain}.com)
• {clientId}
• {clientSecret}

Is there any sample implementation for resource owner password implementation for android. The sample code provided only has redirection to browser for okta from App and authenticate. Any direction or guidance is much appreciated.