Do not open browser

[ravenfeld]

Configuration

• Version: 0.11.1
• Integration: Kotlin
• Identity provider: Auth0

Description

Hi, I'd like a (public) scope not to display the browser so that retrieving the token for my api doesn't bother the user.
Is this possible with openId or do I have to code the packages myself?

Thank you in advance

[agologan]

Retrieving a new token shouldn't prompt the user unless the user's session has expired.
There might be some misunderstanding here.

[ravenfeld]

Hello, no it's not that it's to ask for a 1st token I would not like to open a web view

[agologan]

OIDC is a specific extension of OAuth 2.0 to authenticate and authorize users where the end-user specifically doesn't hand his credentials to the 3rd party app it authenticates in.
There is a native redirect alternative to the web browser/view where you can authenticate through an IDP by redirecting to another native app and back. (not currently supported by this lib)

If you own both the identity provider and the app, you can have your own OAuth2.0 native login but this library doesn't deal with that flow. E.g. Facebook would have it's own native login. Instagram has both a native login for legacy users and a separate IDP-based login to: Login with Facebook.

We only deal with the standard web-based auth in this library. A lot of integrators will use this flow even if they also own the IDP especially in enteprise cases. E.g. you will login with an OIDC flow in most Microsoft apps, because the Office is quite different to the Microsoft Account.

[ravenfeld]

I'm not sure I've understood everything, but what I do understand is that the lib is obliged to open a webview even if it closes directly afterwards.

[agologan]

First login flow:

1. open app & tap login
2. open webbrowser
3. have user enter username/pass into the identity provider (be it 3rd party, Facebook, Google, Okta, etc or your own Keycloak, IdentityServer, hand-rolled code, etc)
4. get back token to do authenticated calls for user

App restart:

• if token is still valid, just use it (no webbrowser prompt)
• if token expired, have user relogin (go back to first step by having user log into the webbrowser)

[alixwar]

There is a native redirect alternative to the web browser/view where you can authenticate through an IDP by redirecting to another native app and back. (not currently supported by this lib)

@agologan
Do you know if there is a feature request in github for this or a more detailed explanation why it will not be included?
By the way, are you referring to "device flow" from https://datatracker.ietf.org/doc/html/rfc8628 ?

Update:
I found some related tickets:

#675
#1040