Add Device Authorization Grant #30
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @MainThread | ||
| private fun displayLoading(loadingMessage: String) { | ||
| findViewById<View>(R.id.loading_container).visibility = View.VISIBLE | ||
| findViewById<View>(R.id.auth_container).visibility = View.GONE |
Check failure
Code scanning / mobsfscan
Hidden elements in view can be used to hide data from user. But this data can be leaked. Error
| // Is logged in! | ||
| startActivity(Intent(this@DeviceLoginActivity, TokenActivity::class.java)) | ||
| } catch (e: AuthorizationException) { | ||
| Log.e(DeviceLoginActivity.TAG, "Error while authorizing", e) |
Check notice
Code scanning / mobsfscan
The App logs information. Sensitive information should never be logged. Note
|
|
||
| displayLoading("Polling for authorization") | ||
|
|
||
| val authState = AuthorizationManager |
Check warning
Code scanning / detekt
Property is unused and should be removed. Warning
| * @return The FusionAuthState object that contains the access token, access token expiration time, and id token. | ||
| */ | ||
| @OptIn(ExperimentalSerializationApi::class) | ||
| private suspend fun deviceAuthorizePolling(response: OAuthDeviceAuthorizationResponse): Flow<FusionAuthState> { |
Check warning
Code scanning / detekt
The `suspend` modifier should not be used for functions that return a Coroutines Flow type. Flows are cold streams and invoking a function that returns one should not produce any side effects. Warning
| flow.catch { | ||
| continuation.resumeWithException(it) | ||
| } |
Check warning
Code scanning / detekt
This call returns a value which is ignored Warning
|
|
||
| displayLoading("Polling for authorization") | ||
|
|
||
| val authState = AuthorizationManager |
Check notice
Code scanning / CodeQL
Unread local variable Note
|
Hiya, I'd rather focus on getting this SDK shipped with equivalent functionality to AppAuth and not moving forward with new features. We still have the iOS SDK to implement as well. Then we can come back and discuss new features. |
Adds the Device Authorization Grant.
Current workflow:
deviceAuthorize()to start the Device Authorization FlowgetDeviceFusionAuthState(), this starts a Flow that polls the back end until the user has logged-in using the verification link and user code, or the link has expiredThings that are not yet implemented
Because this is not covered by AppAuth implementation, I've marked it with an ExperimentalApi decorator.
Related PR on AppAuth openid/AppAuth-Android#763