I’m trying to login with Google from my Android client app as follows:
Auth0 account = new Auth0(getResources().getString(R.string.auth0_client_id), getResources().getString(R.string.auth0_domain));
account.setOIDCConformant(true);
Map<String, Object> parameters = new HashMap<>();
parameters.put("scope", "user openid offline_access");
parameters.put("device", "android-device");
WebAuthProvider.init(account)
.withConnection(networkName)
.withParameters(parameters)
.start(this, new AuthCallback() {
@Override
public void onFailure(@NonNull Dialog dialog) {
...
}
@Override
public void onFailure(AuthenticationException exception) {
...
}
@Override
public void onSuccess(@NonNull Credentials credentials) {
...
}
});
After returning from the Google login page I receive an Intent in onNewIntent() with data as follows:
https://xxxx.auth0.com/android/tv.fubo.mobile.debug/callback?code=rSqQuR4dMP_WRE9H&state=XPIveOoVlag0IhGkDNOei0PGlfcconz7QTDSHT1ocWU#_=_
What are the ‘code’ and ‘state’ parameters in the above data string. I was expecting that I would get back an access token that I could then use to call the Auth0 api to get my User info.
Am I doing something wrong?
Is there any sample code or full documentation for this?
Lastly, after returning from onNewIntent(), the AuthCallback.onFailure() is getting called with the following exception:
com.auth0.android.authentication.AuthenticationException: An error occurred when trying to authenticate with the server.
The code and state parameters are associated with the underlying protocol being used (OpenID Connect/OAuth2). The code parameter in particular is associated with an authorization code grant that will indeed result in tokens being issued; the code is just an intermediary result of user authentication/authorization that is then exchanged by the actual tokens.
Given your authentication/authorization transaction is terminating with an error you don’t get to see any actual access tokens. In relation to the error itself, the associated message you received is just a general message that indicates an error (without disclosing any possible sensitive information); the downside, is that it also does not disclose the root cause so you should log additional information about the exception in onFailure callback. For example, you could try to log the result of calling getDescription method in the exception and see if it provides additional information.
I also tried to reproduce the issue on my end and with a configuration similar to yours and targeting a database connection I did not experienced any error and correctly received the expected tokens.
@jmangelo
Thanks,
So the more detailed message is:
Please go to ‘https://manage.auth0.com/#/applications/d6YiOzgcOnC305cKkBZoydAu62K1z7Ly/settings’ and set ‘Client Type’ to ‘Native’ to enable PKCE.
However, when following that link I do not find any option for enabling PKCE.
@jmangelo
Thanks,
So the more detailed message is:
Please go to ‘https://manage.auth0.com/#/applications/d6YiOzgcOnC305cKkBZoydAu62K1z7Ly/settings’ and set ‘Client Type’ to ‘Native’ to enable PKCE.
However, when following that link I do not find any option for enabling PKCE.
PKCE requires that the token endpoint authentication method be set to none so that a mobile application that can’t securely store a client secret still be able to call than endpoint.
If you set the client type to Native a side effect of that is that the token endpoint authentication method for the client is set to none. Although this is a config change to a more permissive setting if possible you should still test the change in a controlled environment before doing it in a production account if the client application is already being used.