This is work is based on https://github.com/openid/AppAuth-Android
This app demonstrates the AppAuth library by performing an authorization code
flow with an authorization service. The configuration contained in res/raw/auth_config.json
must be modified in order for the app to function. Warnings are supplied when the app is run
with an invalid configuration.
The configuration file MUST contain a JSON object. The following properties can be specified:
-
redirect_uri
(required): The redirect URI to use for receiving the authorization response. This can either be a custom scheme URI (com.example.app:/oauth2redirect/example-provider) or an https app link (https://www.example.com/path). Custom scheme URIs are better supported across all versions of Android, however many authorization server implementations require an https URI. Consult the documentation for your authorization server.The value specified here should match the value specified for
appAuthRedirectScheme
in thebuild.gradle
(Module: app), so that the demo app can capture the response. -
end_sesion_uri
(required): The redirect URI to use for receiving the end session response. This should be a custom scheme URI (com.example.app:/oauth2redirect/example-provider). Consult the documentation for your authorization server.The value specified here should match the value specified for
appAuthRedirectScheme
in thebuild.gradle
(Module: app), so that the demo app can capture the response.NOTE: Scheme of the URI should be the same as
redirect_uri
but callback should be different. -
authorization_scope
(required): The scope string to use for the authorization request. For the purposes of the demo, we recommend the value "openid profile email", though any value understood by your authorization server can be used. -
client_id
: The OAuth2 client id used to identify the client to the authorization server. If this property is omitted, or an empty value is provided, dynamic client registration will be attempted using the registration URI in the discovery document referenced bydiscovery_uri
below, or in the valueregistration_endpoint_uri
. -
discovery_uri
: The OpenID Connect discovery URI for your authorization service, if available. If the IDP you wish to test does not support discovery, this value can be omitted or set to an empty string. -
authorization_endpoint_uri
: The authorization endpoint URI for your authorization service. Ifdiscovery_uri
above is not specified, then this value is required. Otherwise, it can be omitted or set to an empty string. -
token_endpoint_uri
: The token endpoint URI for your authorization service. Ifdiscovery_uri
above is not specified, then this value is required. Otherwise, it can be omitted or set to an empty string. -
registration_endpoint_uri
: The dynamic client registration endpoint URI for your authorization service. If client_id and discovery_uri above are not specified, this value MUST be specified. -
https_required
: Whether HTTPS connections are required for registration and token requests. If omitted, this defaults to true.
Each identity provider is free to submit a set of instructions for configuring this demo app to interact with their authorization endpoints. Those who have submitted instructions are listed below:
We (the AppAuth maintainers) have no strong opinion on this one way or another. Configuration files can be convenient when the data is likely to change, such as substituting a configuration file for development versus production builds.
Configurations such as this can also specified in multiple ways; this is just one example approach. There is also no real harm in hard-coding your configuration into your code, where such dynamic reconfiguration is unnecessary. Do what is best for your app and development process.