Browser Identity Provider

In case when user tries to register with an Identity Provider (IdP) that is browser-based, the SDK needs to ask for an access grant to the Token Server via the browser. In order to support registration with browser Identity Providers the app should provide an implementation of the OneginiBrowserRegistrationRequestHandler interface to the SDK.

OneginiBrowserRegistrationRequestHandler

/**
 * Interface to handle user's registration action.
 */
public interface OneginiBrowserRegistrationRequestHandler {

  /**
   * Method called when user has to authenticate in a web browser.
   *
   * @param url                  {@link Uri} url that was opened
   * @param registrationCallback instance of {@link OneginiBrowserRegistrationCallback} to send browser response back to the SDK
   */
  void startRegistration(Uri url, OneginiBrowserRegistrationCallback registrationCallback);
}

The handler should be then passed to the SDK with the OneginiClientBuilder#setBrowserRegistrationRequestHandler method: Example code for initializing the SDK with custom IDP

  final RegistrationRequestHandler registrationRequestHandler = new RegistrationRequestHandler(applicationContext);

  return new OneginiClientBuilder(applicationContext, createPinRequestHandler, pinAuthenticationRequestHandler)
    // add a browser registration handler
    .setBrowserRegistrationRequestHandler(registrationRequestHandler)
    .build();

In case when browser registration is required the SDK will notify the app via OneginiBrowserRegistrationRequestHandler#startRegistration() method call. The app should use provided url to ask for the access grant in a separate web browser.

Example opening external browser

public class RegistrationRequestHandler implements OneginiBrowserRegistrationRequestHandler {

  // ...

  @Override
  public void startRegistration(final Uri uri, final OneginiBrowserRegistrationCallback oneginiBrowserRegistrationCallback) {
    // we can store the callback in order to pass the registration result later on
    CALLBACK = oneginiBrowserRegistrationCallback;

    final Intent intent = new Intent(Intent.ACTION_VIEW, uri);
    intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
    intent.addFlags(Intent.FLAG_ACTIVITY_NO_HISTORY);

    context.startActivity(intent);
  }
}

Handling the redirection

When the client credentials are invalid the Token Server is not able to redirect the user back to the app. As this will potentially make the app instance useless unless re-installing the app. The SDK will validate the client credentials and refresh them before redirecting to the token server to receive an access grant. When user authentication in web browser failed or was canceled, you can abort registration action by calling OneginiBrowserRegistrationCallback#denyRegistration().

When client credentials are correct and the user gets his access granted, the Token Server will redirect back to the app. As the app is a layer on top of the SDK, the SDK cannot handle this redirect itself. It is the responsibility of the app to handle the redirect and delegate it to the SDK. When delegating a redirect the SDK will verify if the redirect has the right syntax and if it should be handled by the SDK. If id decides that the redirect should be handled it will continue to process it. The app can handle a redirect by specifying a scheme in the AndroidManifest.xml of the application. Please make sure that you set the same scheme in OneginiConfigModel and in Token Server's configuration

Example AndroidManifest.xml

<application
 ...
  <activity
      android:name=".view.activity.LoginActivity"
      android:launchMode="singleTask">
    <intent-filter>
      <action android:name="android.intent.action.VIEW"/>
      <category android:name="android.intent.category.DEFAULT"/>
      <category android:name="android.intent.category.BROWSABLE"/>

      <data android:scheme="oneginiexample"/>
    </intent-filter>
  </activity>
 ...
</application>

For a successful callback, the SDK will start using the received authorization grant. Based on this authorization grant an access token will be requested for the specified set of scopes. When the client has the refresh token grant type a refresh token will be returned with the created access token for a correct access grant by the Token Server.

Example code to handle registration callback

  @Override
  public void onNewIntent(final Intent intent) {
    super.onNewIntent(intent);
    handleRedirection(intent.getData());
  }

  private void handleRedirection(final Uri uri) {
    if (uri == null) {
      return;
    }

    final OneginiClient client = OneginiSDK.getOneginiClient(getApplicationContext());
    final String redirectUri = client.getConfigModel().getRedirectUri();
    if (redirectUri.startsWith(uri.getScheme())) {
      // here we can call the OneginiBrowserRegistrationCallback stored in previous step
      if (CALLBACK != null) {
        CALLBACK.handleRegistrationCallback(uri);
        CALLBACK = null;
      }
    }
  }

When calling the OneginiBrowserRegistrationCallback#handleRegistrationCallback method there is no need to specify a handler, because the OneginiBrowserRegistrationRequestHandler from the registration call is used instead. In case of the registration in a web browser has failed or was aborted by the user, you can call OneginiBrowserRegistrationCallback#denyRegistration() method in order to abort the registration process.