Fix client authentication header on Android (#64)

kadikraman · web-flow · commit df56616b6203 · 2018-02-26T17:20:53.000Z
* Include client auth when clientSecret is included in request

* Add the correct authentication header for refresh requests

* Refactor

* Add instructions in the readme for authenticating with Fitbit

* Fix typo
diff --git a/README.md b/README.md
@@ -15,19 +15,21 @@ React Native bridge for [AppAuth-iOS](https://github.com/openid/AppAuth-iOS) and
 [OpenID Connect](http://openid.net/specs/openid-connect-core-1_0.html) providers.
 
 This library _should_ support any OAuth provider that implements the
-[OAuth2 spec](https://tools.ietf.org/html/rfc6749#section-2.2) and it has been tested with:
+[OAuth2 spec](https://tools.ietf.org/html/rfc6749#section-2.2).
 
+### Tested OpenID providers:
+These providers are OpenID compliant, which means you can use [autodiscovery](https://openid.net/specs/openid-connect-discovery-1_0.html).
 * [Identity Server4](https://demo.identityserver.io/) ([Example configuration](#identity-server-4))
 * [Identity Server3](https://github.com/IdentityServer/IdentityServer3) ([Example configuration](#identity-server-3))
 * [Google](https://developers.google.com/identity/protocols/OAuth2)
   ([Example configuration](#google))
 * [Okta](https://developer.okta.com) ([Example configuration](#okta))
 * [Keycloak](http://www.keycloak.org/) ([Example configuration](#keycloak))
 
-The library uses auto-discovery which means it relies on the the
-[.well-known/openid-configuration](https://openid.net/specs/openid-connect-discovery-1_0.html)
-endpoint to discover all auth endpoints automatically. It will be possible to extend the library
-later to add custom configuration.
+### Tested OAuth2 providers:
+These providers implement the OAuth2 spec, but are not OpenID providers, which means you must configure the authorization and token endpoints yourself.
+* [Uber](https://developer.uber.com/docs/deliveries/guides/three-legged-oauth) ([Example configuration](#uber))
+* [Fitbit](https://dev.fitbit.com/build/reference/web-api/oauth2/) ([Example configuration](#fitbit))
 
 ## Why you may want to use this library
 
@@ -585,6 +587,43 @@ await revoke(config, {
 });
 ```
 
+### Fitbit
+
+Fitbit provides an OAuth 2.0 endpoint for logging in with a Fitbit user's credentials. You'll need to first [register your Fitbit application here](https://dev.fitbit.com/apps/new).
+
+Please note:
+
+* Fitbit does not provide a OIDC discovery endpoint, so `serviceConfiguration` is used instead.
+* Fitbit OAuth requires a [client secret](#note-about-client-secrets).
+
+```js
+const config = {
+  clientId: 'your-client-id-generated-by-uber',
+  clientSecret: 'your-client-secret-generated-by-fitbit',
+  redirectUrl: 'com.whatever.url.you.configured.in.uber.oauth://redirect', //note: path is required
+  scopes: ['activity', 'sleep'],
+  serviceConfiguration: {
+    authorizationEndpoint: 'https://www.fitbit.com/oauth2/authorize',
+    tokenEndpoint: 'https://api.fitbit.com/oauth2/token',
+    revocationEndpoint: 'https://api.fitbit.com/oauth2/revoke'
+  }
+};
+
+// Log in to get an authentication token
+const authState = await authorize(config);
+
+// Refresh token
+const refreshedState = await refresh(config, {
+  refreshToken: authState.refreshToken,
+});
+
+// Revoke token
+await revoke(config, {
+  tokenToRevoke: refreshedState.refreshToken
+});
+```
+
+
 ## Contributors
 
 Thanks goes to these wonderful people
diff --git a/android/src/main/java/com/reactlibrary/RNAppAuthModule.java b/android/src/main/java/com/reactlibrary/RNAppAuthModule.java
@@ -24,6 +24,8 @@
 import net.openid.appauth.AuthorizationResponse;
 import net.openid.appauth.AuthorizationService;
 import net.openid.appauth.AuthorizationServiceConfiguration;
+import net.openid.appauth.ClientAuthentication;
+import net.openid.appauth.ClientSecretBasic;
 import net.openid.appauth.ResponseTypeValues;
 import net.openid.appauth.TokenResponse;
 import net.openid.appauth.TokenRequest;
@@ -42,6 +44,7 @@ public class RNAppAuthModule extends ReactContextBaseJavaModule implements Activ
     private Promise promise;
     private Boolean dangerouslyAllowInsecureHttpRequests;
     private Map<String, String> additionalParametersMap;
+    private String clientSecret;
 
     public RNAppAuthModule(ReactApplicationContext reactContext) {
         super(reactContext);
@@ -75,6 +78,7 @@ public void authorize(
         this.promise = promise;
         this.dangerouslyAllowInsecureHttpRequests = dangerouslyAllowInsecureHttpRequests;
         this.additionalParametersMap = additionalParametersMap;
+        this.clientSecret = clientSecret;
 
         // when serviceConfiguration is provided, we don't need to hit up the OpenID well-known id endpoint
         if (serviceConfiguration != null) {
@@ -159,6 +163,7 @@ public void refresh(
                         scopesString,
                         redirectUrl,
                         additionalParametersMap,
+                        clientSecret,
                         promise
                 );
             } catch (Exception e) {
@@ -186,6 +191,7 @@ public void onFetchConfigurationCompleted(
                                     scopesString,
                                     redirectUrl,
                                     additionalParametersMap,
+                                    clientSecret,
                                     promise
                             );
                         }
@@ -216,21 +222,28 @@ public void onActivityResult(Activity activity, int requestCode, int resultCode,
             AuthorizationService authService = new AuthorizationService(this.reactContext, configuration);
 
             TokenRequest tokenRequest = response.createTokenExchangeRequest(this.additionalParametersMap);
-            authService.performTokenRequest(
-                    tokenRequest,
-                    new AuthorizationService.TokenResponseCallback() {
-
-                        @Override
-                        public void onTokenRequestCompleted(
-                                TokenResponse resp, AuthorizationException ex) {
-                            if (resp != null) {
-                                WritableMap map = tokenResponseToMap(resp);
-                                authorizePromise.resolve(map);
-                            } else {
-                                promise.reject("RNAppAuth Error", "Failed exchange token", ex);
-                            }
-                        }
-                    });
+
+            AuthorizationService.TokenResponseCallback tokenResponseCallback = new AuthorizationService.TokenResponseCallback() {
+
+                @Override
+                public void onTokenRequestCompleted(
+                        TokenResponse resp, AuthorizationException ex) {
+                    if (resp != null) {
+                        WritableMap map = tokenResponseToMap(resp);
+                        authorizePromise.resolve(map);
+                    } else {
+                        promise.reject("RNAppAuth Error", "Failed exchange token", ex);
+                    }
+                }
+            };
+
+            if (this.clientSecret != null) {
+                ClientAuthentication clientAuth = new ClientSecretBasic(this.clientSecret);
+                authService.performTokenRequest(tokenRequest, clientAuth, tokenResponseCallback);
+
+            } else {
+                authService.performTokenRequest(tokenRequest, tokenResponseCallback);
+            }
 
         }
     }
@@ -280,6 +293,7 @@ private void refreshWithConfiguration(
             final String scopesString,
             final String redirectUrl,
             final Map<String, String> additionalParametersMap,
+            final String clientSecret,
             final Promise promise
     ) {
 
@@ -301,7 +315,8 @@ private void refreshWithConfiguration(
         TokenRequest tokenRequest = tokenRequestBuilder.build();
 
         AuthorizationService authService = new AuthorizationService(context, appAuthConfiguration);
-        authService.performTokenRequest(tokenRequest, new AuthorizationService.TokenResponseCallback() {
+
+        AuthorizationService.TokenResponseCallback tokenResponseCallback = new AuthorizationService.TokenResponseCallback() {
             @Override
             public void onTokenRequestCompleted(@Nullable TokenResponse response, @Nullable AuthorizationException ex) {
                 if (response != null) {
@@ -311,7 +326,16 @@ public void onTokenRequestCompleted(@Nullable TokenResponse response, @Nullable
                     promise.reject("RNAppAuth Error", "Failed refresh token");
                 }
             }
-        });
+        };
+
+
+        if (clientSecret != null) {
+            ClientAuthentication clientAuth = new ClientSecretBasic(this.clientSecret);
+            authService.performTokenRequest(tokenRequest, clientAuth, tokenResponseCallback);
+
+        } else {
+            authService.performTokenRequest(tokenRequest, tokenResponseCallback);
+        }
     }
 
     /*
