Login and Authentication in Android (Kotlin) with OAuth2 / OpenID Connect and cidaas
In this article we take a look at how login and authentication capabilities can be integrated into an Android App (Kotlin) based on the standards OAuth2 and OpenID Connect as well as the Cloud Identity & Access Management cidaas.
cidaas (https://www.cidaas.com) is a modern Cloud Identity & Access Management solution developed by Widas ID located in Germany. The cidaas feature set includes:
- Single Sign On (SSO) based on OAuth2, OpenID Connect, SAML 2.0
- Multi-Factor-Authentication with more than 14 authentication methods, including TOTP and FIDO2
- Passwordless Authentication
- Social Login (e.g. Facebook, Google, LinkedIn, and more) as well as Enterprise Identity Provider (e.g. SAML or AD)
- Security in Machine-to-Machine (M2M) and IoT
A short introduction on OAuth2 and OpenID Connect
OAuth2 is the industry-standard protocol for authorization, and it provides different authorization flows depending on the application or client type, be it for example web or mobile applications. If you want to learn more about OAuth2 have a look at the official website at https://oauth.net/2/.
OpenID Connect (OIDC) is a standard authentication protocol that adds an identification layer to the previous OAuth 2.0 standard. OIDC provides information to the end user in the form of an id token, through which the identity is verified. The standard is controlled by the OpenID Foundation (https://openid.net).
A simple Android App with Kotlin
Let’s get started with a simple Android App based on Kotlin. We start by creating a new project with Android Studio.
As project template we choose Empty Activity
You can select a name and package structure fitting to your purpose. For this tutorial we will go for Demo Appand the package name: de.cidaas.demoapp. As programming language, we select Kotlin (this is normally prefilled) and the Minimum SDK version needs to be 21, since that is the Minimum SDK version supported by the cidaas Android SDK.
You will now see a simple Android project based on Kotlin, which just contains the basics. For our tutorial following files are relevant:
- AndroidManifest.xml
- MainActivity.kt
- activity_main.xml
- two build.gradle files
- one for the Project — Project: Demo_App
- one for the modules — Module: Demo_App.app
Installation of cidaas Android SDK
The cidaas Android SDK can be installed via jitpack.io, so we need to add jitpack to the gradle configuration in the build.gradle file for Project: Demo_App.
Furthermore we need to add the cidaas Android SDK to the project by adding the dependency in the build.gradle — Module: Demo_App.app.
The cidaas Android SDK as well as the official documentation can be found on Github: https://github.com/Cidaas/cidaas-android-sdk the current version while writing this tutorial is 3.0.8, please have a look at Github and use the latest version of the SDK.
After working on the gradle files it is a good idea to build the project
After the cidaas Android SDK was successfully installed we need to configure it. That is quite easy we need to get the Domain URL of our cidaas tenant as well as the ClientID and Redirect URL of our App in the tenant. If you do not have a cidaas instance, you can sign up for a free cidaas Plan online (cidaas Free Plan). If you need some information how to create an App (OAuth2 / OpenID Connect Client) in cidaas please refer to: docs.cidaas.com
The three parameters we need to enter to an XML file — cidaas.xml in the assets folder. For that you need to first create the assets folder — Go to new -> folder -> Assets folder and click the finish button. Next create a cidaas.xml file in the folder and add the three mentioned values.
In this example we used our cidaas Demo environment with a sample Client and the user profile URL as Redirect URL.
Integration of Login and Authentication into the App
Now let’s start to integrate Login and Authentication into the app. What do we want to achieve?
The App should display a Login Button, when clicking on the button a custom Chrome Tab should open and display the Login UI. After a successful login we want to jump back into the Android App and display the token.
First, we remove the present Text and add a Button to the activity_main.xml.
To give the button a proper text we go to the strings.xml in res/values and add a new entry for the button, for this tutorial we choose button_login_browser. Now go back to the activity_main.xml and select the button. Have a look on the right side in the Common Attributes section, there is a text parameter and click next to it to the textbox on the button to select the just defined strings.xml entry.
Next, we will implement the login functionality in the MainActivity.kt. We define a variable cidaas and initialize it in the onCreate function by cidaas = Cidaas.getInstance(this) — the parameter this is the ActivityContext. The cidaas SDK instance will use the cidaas.xml as configuration file. Additionally, we can enable the cidaas SDK logs, even thus the integration of the cidaas SDK is quite simple, it can be helpful to have logs in the development process.
After the cidaas SDK is initialized, we implement a Method loginWithNativeBrowser which we can assign to the onClick Event of the button we just added to the UI. In the loginWithNativeBrowser function we create a extraParam hashmap that contains the scopes we want to pass to the Authorization URL (to learn more about Scopes have a look at docs.cidaas.com). In this example we will use openid, profile and email as scopes. The extraParam hashmap we add to the cidaas Instance with Cidaas.extraParams = extraParam. Now it is time to call the loginWithBrowser method of the cidaas SDK which takes care of the magic, including openind the Chrome Custom Tab, calling the Authorization URL and more. While calling the loginWithBrowser function we pass the ActivityContext (this), the color (in this case #009900) and the EventResult<AccessTokenEntity>. Moreover, we need to override/implement the two functions success and failure. The failure function should handle all failures which occur during the login process. In our tutorial we just print them to the UI with Toast.makeText. In the success case, the user is logged in and we get back a Access Token, which we can use to call further APIs, display the user Data and more. In this tutorial we just print the Access Token to the UI by Toast.makeText.
After we finished the loginWithNativeBrowser function we now need to add it to the button we create above. We therefore go back to the activity_main.xml and select the button. On the right side we can select on the onClick Event the loginWithNativeBrowser function, which will then be called when clicking on the button. (Hint: if you do not see the new function in the list, save all files and build the project)
Callback to App with In-App Links or Custom Scheme
Whats left? — We need to handle the callback of the Custom Chrome Tab after a successful authentication.
In this tutorial we use App Links. For that we go to Tools and open the App Links Assistant. The assistant will guide us through the creation of App Links. In the first step we will add a URL intent filter and assign it to the MainActivity. Second, we need to associate the website with our App Link if you do not use the cidaas domain URL you need to publish the assetslinks file on your associated website.
If you use the cidaas domain URL, cidaas provides you with a mobile settings section in your app settings in which you can enter your package name and the fingerprint (more at docs.cidaas.com)
After this you have associated the website and the App Links you can finish the setup by clicking the button Link and Verify in step 3. If you want, you additionally can test the setup with the emulator in step 4.
The App Link Assistant basically creates an intent filter in the AndroidManifest.xml — in this example you will see the App Link we just created with the scheme https, the host as well as the path we added (with this path only this exact URL will redirect into the app).
After we have created App Links we need to adopt the activity to which we have added the new intent filter.
In this case the .MainActivity in the AndroidManifest.xml
<activity android:name=”.MainActivity” android:launchMode=”singleTop”>
In addition, we need to add one more function in the ActivityMain.kt, the onNewIntent, to resume the SDK after the authentication is done and the callback to the app happened.
That’s it we made it! You can now either run our App on the emulator or on your real Android device. When clicking on the button, the Chrome Custom Tab opens with the Login UI of your cidaas tenant and cidaas App. When you login you get redirected back to the app and see the Access Token. Same happens if you register and the auto login feature is enabled, you will also get redirected back into the app and see the Access Token in the UI.
The Auto Login will happen either after registering directly or after verifying your email address (either by clicking on the link or entering a code in the registration process), depending on the configuration you have done in cidaas.
Hint: you can decode your Access Token easily with the https://authkit.io/ online jwt decoder.
Securing Apps and managing users is important and with the OAuth2 and OpenID Connect Standards it becomes easy for consumers and developers to achieve it. This example based on the cidaas — Cloud Identity & Access Management & cidaas-android-sdk — shows how easy it can be integrated into your Android application.
If you have any questions or suggestions, please leave a comment.
