Add Authorization header to all requests in Xamarin Forms Android WebView

Question

I'm trying to add custom http headers to a webview client (for authorization). It seems to work in some cases, I'am able to login to a webpage without entering username and password, and I get redirected to another page. But when the page is calling other resources to get elements populated with data an error is thrown and OnReceivedHttpError is invoked. The error I'm getting is 401 unauthorized and when i look through the headers on the IWebResourceRequest i can't see the authorization headers at all. Am I missing something or have anyone had same problems ?

Using Xamarin Forms 2.3.3.180 and targeting API 21 (Android 5.0 Lollipop), compile with Android 7.1 Nougat.

I've tried in postman to add headers to request and it works perfectly.

Renderer:

public class MyWebViewRenderer : WebViewRenderer
{
    private MyWebViewClient _webViewClient;

    protected override void OnElementChanged(ElementChangedEventArgs<Xamarin.Forms.WebView> e)
    {
        base.OnElementChanged(e);

        if(_webViewClient == null)
            _webViewClient = new MyWebViewClient();

        Control.SetWebViewClient(_webViewClient);
        Control.LongClickable = false;
        Control.HapticFeedbackEnabled = false;
        Control.Settings.JavaScriptEnabled = true;

        var data = Encoding.GetEncoding("ISO-8859-1").GetBytes("username:password");
        var base64string = Base64.EncodeToString(data, Base64Flags.NoWrap);

        var headers = new Dictionary<string, string>();
        headers.Add("Authorization", $"Basic {base64string}")

        Control.LoadUrl(Control.Url, headers);
    }
}

WebViewClient:

public override bool ShouldOverrideUrlLoading(WebView view, string url)
{
    WebView.SetWebContentsDebuggingEnabled(true);

    var data = Encoding.GetEncoding("ISO-8859-1").GetBytes("username:password");
    var base64string = Base64.EncodeToString(data, Base64Flags.NoWrap);

    var headers = new Dictionary<string, string>();
    headers.Add("Authorization", $"Basic {base64string}")

    view.LoadUrl(url, headers);
    return true;
}

public override WebResourceResponse ShouldInterceptRequest(WebView view, IWebResourceRequest urlResource)
{
    //headers does not always contains authorization header, so let's add it.
    if (!urlResource.RequestHeaders.ContainsKey("authorization") && !urlResource.RequestHeaders.ContainsKey("Authorization"))
    {
       var data = Encoding.GetEncoding("ISO-8859-1").GetBytes("username:password");
       var base64string = Base64.EncodeToString(data, Base64Flags.NoWrap);

       urlResource.RequestHeaders.Add("Authorization", $"{base64string}");
     }

        return base.ShouldInterceptRequest(view, urlResource);
}

public override void OnReceivedHttpError(WebView view, IWebResourceRequest request, WebResourceResponse errorResponse)
{
    base.OnReceivedHttpError(view, request, errorResponse);
}

Answer 1

If you only need the headers on the get requests, the code below will work. However POST requests are a different issue. I needed to do a similar thing (with all requests, not just GET), and all I can say is that there's not straightforward solution, at least not one that I've found (and I've tried everything short of writing my own network driver). I've tried so many methods (ShouldOverrideUrlLoading, ShouldInterceptRequest, custom LoadUrl and PostUrl etc.) and none of them give a 100% solution. There is a lot of misinformation about this so I think some clarification is needed since I've spent two days on this without success.

So here's what I've learned:

If you only need the headers in the GET requests, that's trivial. Simply create an implementation of WebViewClient and override ShouldOverrideUrlLoading like this:

[assembly: ExportRenderer(typeof(Xamarin.Forms.WebView), typeof(App.Android.HybridWebViewRenderer))]
namespace App.Android
{
    public class HybridWebViewRenderer : WebViewRenderer
    {

        public HybridWebViewRenderer(Context context) : base(context)
        {
        }

        protected override void OnElementChanged(ElementChangedEventArgs<Xamarin.Forms.WebView> e)
        {
            base.OnElementChanged(e);
            Control.SetWebViewClient(new CustomWebViewClient());
        }
    }
    public class CustomWebViewClient : WebViewClient
    {
        public override bool ShouldOverrideUrlLoading(Android.Webkit.WebView view, string url)
        {
            Dictionary<string, string> headers = new Dictionary<string, string>
            {
                ["Name"] = "value"
            };
            view.LoadUrl(url, headers);
            return true;
        }
    }
}

If, however, you need the headers in other requests (specifically POST requests) there really isn't a perfect solution. Many answers tell you to override ShouldInterceptRequest but this is unlikely to help. ShouldInterceptRequest provides an IWebResourceRequest which contains the URL of the request, the method (i.e. POST) and the headers. There are answers out there which state that adding the headers by doing request.Headers.Add("Name", "Value") is a viable solution but this is wrong. The IWebResourceRequest is not used by the WebView's internal logic so modifying it is useless!

You can write your own HTTP client in ShouldInterceptRequest which includes your own headers to perform the requests and return a WebResourceResponse object. Again, this works for GET requests, but the problem with this is that even though we can intercept a POST request, we cannot determine the content in the request as the request content is not included in the IWebResourceRequest object. As a result, we cannot accurately perform the request manually. So, unless the content of the POST request is unimportant or can somehow be fetched, this method is not viable.

An additional note on this method: returning null tells the WebView to handle the request for us. In other words 'I don't want to intercept the request'. If the return is not null however, the WebView will display whatever is in the WebResourceResponse object.

I also tried overriding the PostUrl and LoadUrl methods in the WebView itself. These methods are not called by the internal logic, so unless you are calling them yourself, this does not work.

So what can be done? There are a few hacky solutions (see github.com/KeejOow/android-post-webview) to get around this problem, but they rely on javascript and are not suitable in all cases (I have read that they don't work with forms). If you want to use them in Xamarin, you're going to need to adapt the code for C# anyway, and there is no guarantee that it will solve your problem.

I'm writing this so no one else has to waste countless hours finding a solution that doesn't really exist. If only the Android devs had decided to include the POST content in the IWebResourceRequest object... And apologies for the length, if you've read to this point, you're probably as desperate as I was.