Redirect Users to login via Keycloak web on android app instead of sending username and password to keyloack via API

[SebaMutuku]

Currently, we login through the app by sending user credentials and secret through an API for keycloak to authenticate. Currently these values are not encrypted and hence poses a security threat in case a user managed to access the device's data. See fetchAccessToken

A library called OpenID/Oauth can bypass this by redirecting to keycloak webpage where users can authenticate directly on keycloak and a token is returned upon successful login. This would improve the security of our application since the credentials are directly entered on keycloak page. The redirection will happen on the android app.

The library follows the best practices set out in RFC 8252 - OAuth 2.0 for Native Apps, including using Custom Tabs for authorization requests.

Implementation guidelines have been explained on the library's github repository.

[dubdabasoduba]

@SebaMutuku Please read this too #1887

[SebaMutuku]

@dubdabasoduba Thanks for this. I also think this lib supports PCE extension. Feel free to check the readme section.

[pld]

The big question is how will this work offline? We've talked this through before and there wasn't an obvious way.

Also, when you not encrypted, you mean, not further encrypted within the channel, but they are always being sent over an encrypted channel, is that correct?