3

I have an Android application that opens up a OAUth webpage using AppAuth for authentication of the user. When the user has authenticated, the chrome browser is suggesting to the user to store the credentials (user/pass) in the browser. If possible, I would like to disable this behaviour.

I have searched and read the documentation, but haven't found any info about the possibility (or the opposite) of instructing the browser to not suggest autocomplete (storage).

Changing the login page is not an option. I would preferably want to pass in some information (flags) to the chrome tab in the intent.

All help would be appreciated.

Hrafn
  • 2,867
  • 3
  • 25
  • 44

1 Answers1

2

Lead maintainer of AppAuth-Android here. As far as I'm aware, there is no way for you to "hint" to the browser / custom tab that you want to suppress a credential save prompt. Chrome and other browser vendors don't like giving this choice to developers as it is often misused in user- and security-hostile ways, like misguided attempts to block password managers.

iainmcgin
  • 2,691
  • 1
  • 18
  • 24
  • Yeah, had given up hope this was possible. Was worth a try. – Hrafn Feb 21 '18 at 22:51
  • What about saved passwords when there is no hint? Or maybe its just me messing up something else that I perceive as this problem. My situation: I have a custom oidc provider. I am using appauth android app (modified) from google tutorial. After successfully logging in with a password, any further logins simply flash the customtab opening the login page, and I am automatically logged in. Chrome is set to not remember passwords and disabled autologin. There is no saved passwords in the list according to chrome. Only clearing all data on chrome works, which is not ideal. I'm so confused. – Miao Liu Aug 22 '18 at 15:27
  • @MiaoLiu this sounds like a separate issue - after authenticating in the custom tab, a user session is remembered by the browser via cookies / localStorage. If you don't want the user to be remembered in the browser, you likely need an "incognito" custom tab, which Google are in the process of adding to Chrome: https://chromium-review.googlesource.com/c/chromium/src/+/1171225 The alternative would be to use a web view, but we don't recommend this, as it trains users to enter their credentials into potentially unsafe apps. Google blocks web views for this reason. – iainmcgin Sep 05 '18 at 22:15
  • thanks @iainmcgin! I figured it was something like that. But it helps to hear from an expert. I tried to deny cookies altogether but it wouldn't even login then (I think pyoidc uses the cookies in the redirected page). I think I need to hack in cookie expiration so that the cookie I have is valid but my credentials no longer are. – Miao Liu Sep 06 '18 at 23:30