AppAuth-Android strange problem in handling NOT hierarchical URI callback intent

Question

I am using AppAuth-Android in my app to handle the OAuth flow. When the flow starts, I call the startActivityForResults method as described in the https://github.com/openid/AppAuth-Android#obtaining-an-authorization-code step. After calling this method, the browser pops up waiting for the user login.

In my manifest I have

<intent-filter>
    <action android:name="android.intent.action.VIEW" />
    <category android:name="android.intent.category.DEFAULT" />
    <category android:name="android.intent.category.BROWSABLE" />
    <data
        android:scheme="com.app.name"
        android:host="oauth2redirect/login-callback" />
</intent-filter>

that is needed for handling the redirect callback when login step is done, as specified in the AppAuth documentation.

During a penetration test on my app, came to light that if in this particular moment (when browser for authentication is visible), you follow the steps below, the app crash

switch app (e.g. I open a browser, not closing my app)
click on a NOT hierarchical link, com.name.app:abcd in my case (this URL was ready-made by the tester)

This is the stack trace of the crash.

E/AndroidRuntime: FATAL EXCEPTION: main
Process: io.app.mobile, PID: 29226
java.lang.RuntimeException: Unable to resume activity {com.app.name/net.openid.appauth.AuthorizationManagementActivity}: java.lang.UnsupportedOperationException: This isn't a hierarchical URI.
    at android.app.ActivityThread.performResumeActivity(ActivityThread.java:3830)
    at android.app.ActivityThread.handleResumeActivity(ActivityThread.java:3862)
    at android.app.servertransaction.ResumeActivityItem.execute(ResumeActivityItem.java:51)
    at android.app.servertransaction.TransactionExecutor.executeLifecycleState(TransactionExecutor.java:145)
    at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:70)
    at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1816)
    at android.os.Handler.dispatchMessage(Handler.java:106)
    at android.os.Looper.loop(Looper.java:193)
    at android.app.ActivityThread.main(ActivityThread.java:6854)
    at java.lang.reflect.Method.invoke(Native Method)
    at com.android.internal.os.RuntimeInit$MethodAndArgsCaller.run(RuntimeInit.java:493)
    at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:860)
 Caused by: java.lang.UnsupportedOperationException: This isn't a hierarchical URI.
    at android.net.Uri.getQueryParameterNames(Uri.java:1590)
    at net.openid.appauth.AuthorizationManagementActivity.extractResponseData(AuthorizationManagementActivity.java:318)
    at net.openid.appauth.AuthorizationManagementActivity.handleAuthorizationComplete(AuthorizationManagementActivity.java:259)
    at net.openid.appauth.AuthorizationManagementActivity.onResume(AuthorizationManagementActivity.java:234)
    at android.app.Instrumentation.callActivityOnResume(Instrumentation.java:1413)
    at android.app.Activity.performResume(Activity.java:7307)
    at android.app.ActivityThread.performResumeActivity(ActivityThread.java:3822)

The problem seems to be that opening com.name.app:abcd, makes the app believing that there is a result from the intent and net.openid.appauth.AuthorizationManagementActivity tries to handle it

private Intent extractResponseData(Uri responseUri) {
    if (responseUri.getQueryParameterNames().contains(AuthorizationException.PARAM_ERROR)) {
        return AuthorizationException.fromOAuthRedirect(responseUri).toIntent();
    } 

(...)
}

but the getQueryParameterNames of the class java.net.URI throws an exception if the URL is NOT hierarchical.

I am not sure if it is a problem related to the library itself, or if there is a solution that can be accomplished (maybe changing the manifest deep linking handling). The fact is that I do not know how to fix this.

If the question seems too synthetic and you need some additional information to reproduce the problem, feel free to ask for more details. Thanks :)

intent-filter is set in the AuthorizationActivity that is the activity than starts and handle the oAuth flow @moozg — Stefano Zanella, Jun 05 '20 at 12:42
so you're not using ` RedirectUriReceiverActivity ` at all? official doc suggest using this Activity instead of `AuthorizationManagementActivity`, see code snippets in the documentation you linked. — moozg, Jun 05 '20 at 21:14

moozg · Accepted Answer · 2020-06-10T18:57:34.947

1

I assume the intent-filter you posted is set for RedirectUriReceiverActivity, but you can actually have your own Activity instead to be the man-in-the-middle. If you look into the source code it basically does nothing more than

startActivity(AuthorizationManagementActivity.createResponseHandlingIntent(
                    this, getIntent().getData()));

Create your own Activity e.g. AllUriReceiverActivity
set intent-filter (that you posted above) for this AllUriReceiverActivity
in onCreate() of AllUriReceiverActivity add check if getIntent().getData() contains hierarchical URI before performing startActivity() call.
Reuse library's RedirectUriReceiverActivity, so you don't need to worry when library updates the way of instantiating AuthorizationManagementActivity

So in onCreate() it should be sth like this:

Uri uri = getIntent().getData();

if (uri.isHierarchical()) {
   Intent i = new Intent(context, RedirectUriReceiverActivity.class);
   i.setData(uri);
   startActivity(i);
}
finish();

EDIT: Additionally to get rid of the handling your URI by RedirectUriReceiverActivity, you can remove completely this part suggested by AppAuth lib:

android.defaultConfig.manifestPlaceholders = [
  'appAuthRedirectScheme': '...'
]

edited Jun 10 '20 at 18:57

answered Jun 04 '20 at 16:59

moozg

406
3
12

I am not sure I can achieve that: RedirectUriReceiverActivity is a class of the library and is called from the browser before reach my activity (AuthorizationActivity)... How can I customize RedirectUriReceiverActivity if its read only? – Stefano Zanella Jun 05 '20 at 13:24
@StefanoZanella I updated my answer, plz have a look. – moozg Jun 05 '20 at 21:31
Thank you for your reply. I tried to implement your solution, but while RedirectUriReceiverActivity is used in the authentication flow, the breakpoints placed in the activity you suggest to do (AllUriReceiverActivity) as a kind of middleware are not triggered... Even if I set the intent-filter in the manifest. I think there is a direct link between AuthorizationManagementActivity and RedirectUriReceiverActivity and it can not be changed. (without editing the library code) @moozg – Stefano Zanella Jun 08 '20 at 07:13
here in the class code there is a scheme of how authentication flow is done in AppAuth-Android https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AuthorizationManagementActivity.java](App-Auth). Authorization activity is my Activity that starts the flow. @moozg – Stefano Zanella Jun 08 '20 at 07:25
@StefanoZanella now the Activity that handles intents is AllUriReceiverActivity. So you need to delete the declaration of intent handling by RedirectUriReceiverActivity from your manifest. Keep AllUriReceiverActivity intent-filter only. – moozg Jun 08 '20 at 16:49
Yess man, it seems to work :D But I think that `RedirectUriReceiverActivity` creates automatically an `intent-filter` (not showed in manifest) through the scheme specified (com.app.name) because if you implement your suggestion, when you click the link, it offers to you the 2 different activities to open the link (your `AllUriReceiverActivity` and probably `RedirectUriReceiverActivity `. I overcome this problem by putting in the manifest an `intent-filter` to `RedirectUriReceiverActivity` with the `android:scheme=""`. Thank you – Stefano Zanella Jun 10 '20 at 14:40
If you update your response accordingly to my comment, I will accept your answer as correct. Thank you @moozg – Stefano Zanella Jun 10 '20 at 14:42
*woman. :] And I suggested another solution for getting rid of RedirectUriReceiverActivity handling directly the deeplink. – moozg Jun 10 '20 at 18:58

AppAuth-Android strange problem in handling NOT hierarchical URI callback intent

1 Answers1