Allow insecure HTTP requests on Android #50
Conversation
…le testing new dangerouslyAllowInsecureHttpRequests flag
…ethods on Android
jevakallio
force-pushed
the
feature/allow-insecure-requests-v2
branch
from
b8bb2c6 to
22277ed
Compare
| @@ -0,0 +1,128 @@ | |||
| package com.reactlibrary.utils; | |||
There was a problem hiding this comment.
This file is copied as-is from the AppAuth Android example application. Only modification here is that I changed the name from ConnectionBuilderForTesting to UnsafeConnectionBuilder https://github.com/openid/AppAuth-Android/blob/29329dce430edebdc80e9635895358e20971f286/app/java/net/openid/appauthdemo/ConnectionBuilderForTesting.java
|
Good stuff. Java is one language I hoped I'll never have to start using but it seems it's fairly easy to follow. Thanks again for the effort that went into this. I am curious, is this something you use in your projects? Or are you making the lib to make https://formidable.com/ bit more visible in the community? Reason I am asking is you are doing this admirably professionally. So it doesn't seem like your usual hobby lib :) |
| return DefaultConnectionBuilder.INSTANCE; | ||
| } | ||
|
|
||
| private Uri buildConfigurationUriFromIssuer(Uri openIdConnectIssuerUri) { |
There was a problem hiding this comment.
Since we are now using fetchFromUrl instead of fetchFromIssuer, we need to construct the issuer WKID endpoint ourselves. Annoyingly the method on AuthorizationServiceConfiguration was private, so I replicated it here. This should be a very stable method, since the URL format is driven by spec and not likely to change.
@PeterKottas Hah, good question. The library was initially built for a client project. We are maintaining and developing it further pro-bono because we think it will be useful for other developers in the community, and when we'll next need to implement enterprise OAuth, we'll have a well-maintained and familiar tool to reach out for. |
|
Nice one! 👍 Best of luck to you guys. I'll be using this a lot so I'll let you know if I find any more issues. Cheers. |
| <dict> | ||
| <key>NSExceptionDomains</key> | ||
| <dict> | ||
| <key>demo.identityserver.io</key> |
There was a problem hiding this comment.
Is this what need to be done on iOS in order to support insecure connections? If so, should we add a comment to the readme on it?
There was a problem hiding this comment.
Yeah, could do that. The library already gives you a very informative warning saying the App Transport Security settings needs to be changed to allow HTTP connections. But no harm putting it in the README to save folks some cycles. Will amend 👍
Adds a new optional
dangerouslyAllowInsecureHttpRequestsflag that allows connecting to plain HTTP resources and HTTPS resources with self-signed or invalid certificates.Fixes #45.