为什么Android Chrome从61.0.3163.98更新到72.0.3626.76会中断Chrome自定义标签中的OAuth登录? [英] Why does Android Chrome update from 61.0.3163.98 to 72.0.3626.76 break OAuth login in Chrome Custom Tabs?

问题描述

我们的生产Android应用程序使用Chrome自定义标签进行OAuth登录

Our production Android application uses Chrome Custom Tabs for OAuth login

昨天Chrome版本为61.0.3163.98时，它运行良好

It was working fine yesterday when Chrome version was 61.0.3163.98

在一夜之间将Chrome更新到72.0.3626.76之后，登录过程陷入了嵌入式浏览器，并且向用户显示了空白的白屏.

Following an overnight update of Chrome to 72.0.3626.76 the Login process gets stuck in the embedded browser and the user is presented with a blank white screen.

如果我们卸载Chrome更新，则登录将重新开始工作

If we uninstall the Chrome update the login starts to work again

Chrome和/或Chrome自定义选项卡发生了什么变化，从而中断了我们的登录过程?

What has changed with Chrome and/or Chrome Custom Tabs that breaks our login process?

如果我将默认浏览器切换到Firefox，我的应用程序登录即可正常运行.

If I switch my default browser to Firefox my apps login works fine.

实际上，如果我将默认浏览器更改为chrome以外的任何其他功能，即使Opera不显示嵌入式浏览器，它也可以正常运行，甚至Opera也可以.

In fact if I change default browser to anything other than chrome it works fine, even Opera works, although Opera doesnt show an embedded browser.

当我卸载Chrome更新并恢复为chrome版本61.0.3163.98时，它也可以工作

It also works when I uninstall the Chrome update and revert back to chrome version 61.0.3163.98

更多详细信息:-

Step 1). Load URL with prompt=none and my custom scheme Redirect URL.
Step 2). My App receives a NEW INTENT containing the auth code.
Step 3). I attempt to access my back end APIs with this code, which fails with 400
Step 4). Load URL prompt=login and my users are presented with a sign in screen where they enter their credentials and click on the Sign In button.
Step 5). NOTHING HAPPENS, the user is presented with a blank screen, my app does not receive a NEW INTENT.

这里有我用来通过Chrome自定义标签打开登录URL的代码

Heres the code I employ to open the Login URL via a Chrome Custom Tab

private void openCustomTab() {
    codeVerifier = generateRandomCodeVerifier();
    checkCodeVerifier(codeVerifier);
    codeChallenge = deriveCodeVerifierChallenge(codeVerifier);

    CustomTabsIntent.Builder builder = new CustomTabsIntent.Builder();
    CustomTabsIntent customTabsIntent = builder.build();
    customTabsIntent.launchUrl(this, getURL(PROMPT_NONE));
}

上面的代码将URL的提示符设置为quick = none，并且还指定了我的自定义方案重定向网址.

The above code loads the URL with prompt=none and it also specifies my custom scheme redirect url.

我的Android应用在onNewIntent中收到一个包含authCode的新意图，我尝试使用此autho来检索访问令牌，但失败，结果为400.

My Android app receives a New Intent in onNewIntent that contains an authCode, I attempt to retrieve an access token with this authocode which fails with 400.

然后，我使用自定义选项卡以提示符= login加载第二个URL，如下所示:-

I then use custom Tabs to load a second URL with prompt=login as follows:-

            final CustomTabsIntent.Builder builder = new CustomTabsIntent.Builder();
            builder.setToolbarColor(Color.BLUE);

            final CustomTabsIntent customTabsIntent = builder.build();
            customTabsIntent.launchUrl(SignInActivity.this, getURL(PROMPT_LOGIN, authCode));

通过使用提示符=登录加载此URL，用户可以输入其凭据并单击登录"按钮.

By loading this URL with prompt=login the user can enter their credentials and click on the Sign In button.

此时，"Chrome自定义标签"被卡住了.

Its at this point the Chrome Custom Tab gets stuck.

这是我使用Stetho捕获的网络呼叫，最后一个呼叫是authorization.ping，显示为已取消

here are the network calls I capture using Stetho, the last call made is authorization.ping that shows as cancelled

我发现此问题的解决方法如下:-

I have found a resolution for this issue as follows:-

我在现有提示无"然后登录"中增加了同意"提示.

I added an additional prompt of "consent" to the existing prompts of "none" then "login".

现在用户看到标题为

oauth.approval.page.template.title

用户在其中看到包括

ACCESS TO YOUR DATA
SIGN IN WITH OPENID CONNECT
OPENID CONNECT PROFILE SCOPE
OPENID CONNECT EMAIL SCOPE

在此屏幕底部有两个选项

at the bottom of this screen theres two options

oauth.approval.page.template.allow
oauth.approval.page.template.dontAllow

用户选择时

oauth.approval.page.template.allow

他们现在可以进入android应用了.

they can now proceed into the android app.

唯一的问题是用户每次登录时都会看到此批准屏幕

The only issue is the user sees this approval screen whenever they log in

推荐答案

我最近也回答了同样的问题，我相信使用chrome进行的更新会增加一些安全层.在使用不同的浏览器(不同的非官方Custom ROMS附带的股票浏览器)之前，我也遇到过同样的问题，我认为如果其他浏览器实现相同的行为，我们是不安全的.

I have recently answered this same question, I believe the update with chrome adds some security layer. I also had same issue before with different browser (stock browser that comes with different non-officials Custom ROMS) and I think we're not safe in case other browsers implement the same behavior.

为避免所有这些问题，我建议您实现一个登台页面，该页面将用于处理所有OAuth2重定向.

To avoid all these problems, I would suggest that you implement a staging page that will serve to handle all your OAuth2 redirects.

此解决方案还具有避免用户每次允许"登录的优点.

This solution also has the advantage of avoiding for the user to "Allow" login every time.

您可以在此处找到详细的答案:

You can find a detailed answer here: How to implement OAuth single Sign In/Sign Out with Chrome Custom Tabs

这篇关于为什么Android Chrome从61.0.3163.98更新到72.0.3626.76会中断Chrome自定义标签中的OAuth登录?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！