blob: ac195cf617acbc1cbb598000b5dd1fa87c2dd55c [file] [log] [blame]
// Copyright 2014 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
package org.chromium.chromoting;
import android.content.ActivityNotFoundException;
import android.content.ComponentName;
import android.content.Intent;
import android.text.TextUtils;
import android.util.Base64;
import android.util.Log;
import java.util.ArrayList;
* This class is responsible for fetching a third party token from the user using the OAuth2
* implicit flow. It directs the user to a third party login page located at |tokenUrl|. It relies
* on the |ThirdPartyTokenFetcher$OAuthRedirectActivity| to intercept the access token from the
* redirect at intent://|REDIRECT_URI_PATH|#Intent;...end; upon successful login.
public class ThirdPartyTokenFetcher {
/** Callback for receiving the token. */
public interface Callback {
void onTokenFetched(String code, String accessToken);
/** The path of the Redirect URI. */
private static final String REDIRECT_URI_PATH = "/oauthredirect/";
* Request both the authorization code and access token from the server. See
private static final String RESPONSE_TYPE = "code token";
/** This is used to securely generate an opaque 128 bit for the |mState| variable. */
private static SecureRandom sSecureRandom = new SecureRandom();
/** This is used to launch the third party login page in the browser. */
private Activity mContext;
* An opaque value used by the client to maintain state between the request and callback. The
* authorization server includes this value when redirecting the user-agent back to the client.
* The parameter is used for preventing cross-site request forgery. See
private final String mState;
private final Callback mCallback;
/** The list of TokenUrls allowed by the domain. */
private final ArrayList<String> mTokenUrlPatterns;
private final String mRedirectUriScheme;
private final String mRedirectUri;
public ThirdPartyTokenFetcher(Activity context,
ArrayList<String> tokenUrlPatterns,
Callback callback) {
this.mContext = context;
this.mState = generateXsrfToken();
this.mCallback = callback;
this.mTokenUrlPatterns = tokenUrlPatterns;
this.mRedirectUriScheme = context.getApplicationContext().getPackageName();
// We don't follow the OAuth spec ( of the
// redirect URI as it is possible for the other applications to intercept the redirect URI.
// Instead, we use the intent scheme URI, which can restrict a specific package to handle
// the intent. See
this.mRedirectUri = "intent://" + REDIRECT_URI_PATH + "#Intent;" +
"package=" + mRedirectUriScheme + ";" +
"scheme=" + mRedirectUriScheme + ";end;";
* @param tokenUrl URL of the third party login page.
* @param clientId The client identifier. See
* @param scope The scope of access request. See
public void fetchToken(String tokenUrl, String clientId, String scope) {
if (!isValidTokenUrl(tokenUrl)) {
"Token URL does not match the domain\'s allowed URL patterns." +
" URL: " + tokenUrl +
", patterns: " + TextUtils.join(",", this.mTokenUrlPatterns));
Uri uri = buildRequestUri(tokenUrl, clientId, scope);
Intent intent = new Intent(Intent.ACTION_VIEW, uri);
Log.i("ThirdPartyAuth", "fetchToken() url:" + uri);
OAuthRedirectActivity.setEnabled(mContext, true);
try {
} catch (ActivityNotFoundException e) {
failFetchToken("No browser is installed to open the third party authentication page.");
private Uri buildRequestUri(String tokenUrl, String clientId, String scope) {
Uri.Builder uriBuilder = Uri.parse(tokenUrl).buildUpon();
uriBuilder.appendQueryParameter("redirect_uri", this.mRedirectUri);
uriBuilder.appendQueryParameter("scope", scope);
uriBuilder.appendQueryParameter("client_id", clientId);
uriBuilder.appendQueryParameter("state", mState);
uriBuilder.appendQueryParameter("response_type", RESPONSE_TYPE);
/** Verifies the host-supplied URL matches the domain's allowed URL patterns. */
private boolean isValidTokenUrl(String tokenUrl) {
for (String pattern : mTokenUrlPatterns) {
if (tokenUrl.matches(pattern)) {
return true;
return false;
private boolean isValidIntent(Intent intent) {
assert intent != null;
String action = intent.getAction();
Uri data = intent.getData();
if (data != null) {
return Intent.ACTION_VIEW.equals(action) &&
this.mRedirectUriScheme.equals(data.getScheme()) &&
return false;
public boolean handleTokenFetched(Intent intent) {
assert intent != null;
if (!isValidIntent(intent)) {
Log.w("ThirdPartyAuth", "Ignoring unmatched intent.");
return false;
String accessToken = intent.getStringExtra("access_token");
String code = intent.getStringExtra("code");
String state = intent.getStringExtra("state");
if (!mState.equals(state)) {
failFetchToken("Ignoring redirect with invalid state.");
return false;
if (code == null || accessToken == null) {
failFetchToken("Ignoring redirect with missing code or token.");
return false;
Log.i("ThirdPartyAuth", "handleTokenFetched().");
mCallback.onTokenFetched(code, accessToken);
OAuthRedirectActivity.setEnabled(mContext, false);
return true;
private void failFetchToken(String errorMessage) {
Log.e("ThirdPartyAuth", errorMessage);
mCallback.onTokenFetched("", "");
OAuthRedirectActivity.setEnabled(mContext, false);
/** Generate a 128 bit URL-safe opaque string to prevent cross site request forgery (XSRF).*/
private static String generateXsrfToken() {
byte[] bytes = new byte[16];
// Uses a variant of Base64 to make sure the URL is URL safe:
// URL_SAFE replaces - with _ and + with /.
// NO_WRAP removes the trailing newline character.
// NO_PADDING removes any trailing =.
return Base64.encodeToString(bytes, Base64.URL_SAFE | Base64.NO_WRAP | Base64.NO_PADDING);
* In the OAuth2 implicit flow, the browser will be redirected to
* intent://|REDIRECT_URI_PATH|#Intent;...end; upon a successful login. OAuthRedirectActivity
* uses an intent filter in the manifest to intercept the URL and launch the chromoting app.
* Unfortunately, most browsers on Android, e.g. chrome, reload the URL when a browser
* tab is activated. As a result, chromoting is launched unintentionally when the user restarts
* chrome or closes other tabs that causes the redirect URL to become the topmost tab.
* To solve the problem, the redirect intent-filter is declared in a separate activity,
* |OAuthRedirectActivity| instead of the MainActivity. In this way, we can disable it,
* together with its intent filter, by default. |OAuthRedirectActivity| is only enabled when
* there is a pending token fetch request.
public static class OAuthRedirectActivity extends Activity {
public void onStart() {
// |OAuthRedirectActivity| runs in its own task, it needs to route the intent back
// to to access the state of the current request.
Intent intent = getIntent();
intent.setClass(this, Chromoting.class);
public static void setEnabled(Activity context, boolean enabled) {
int enabledState = enabled ? PackageManager.COMPONENT_ENABLED_STATE_ENABLED
ComponentName component = new ComponentName(