(Legacy) Android SDK with Dynamic Client Registration
- Topics:
- Authentication
NOTE
IMPORTANTIntroduction
Android AccessEnabler SDK for Android was modified to enable Authentication without using session cookies. As more and more browsers are restricting the access to cookies, another method needs to be used to allow authentication.
For Android, the usage of Chrome Custom Tabs restricts the access to cookies from other applications.
Android SDK 3.0.0 introduces:
- dynamic client registration replaces the current app registration mechanism based on signed requestor ID & session cookie authentication
- Chrome Custom Tabs for authentication flows
NOTEDynamic Client Registration
Android SDK v3.0+ will use the Dynamic Client Registration procedure as defined in Dynamic Client Registration Overview.
Feature demo
Please watch this webinar which gives more context of the feature and contains a demo on how to manage the software statements using the TVE Dashboard and how to test the generated ones using a demo application provided by Adobe as part of Android SDK.
API Changes
Factory.getInstance
Description: Instantiates the Access Enabler object. There should be a single Access Enabler instance per application instance.
throws AccessEnablerException
Availability: v3.0+
Parameters:
- appContext: Android application context
- softwareStatement: value obtained from TVE Dashboard or null if “software_statement” is set in strings.xml
- redirectUrl : unique url, one of the domains in reverse order that was explicitly added in TVE Dashboard or null if “redirect_uri” is set in strings.xml
Note : invalid softwareStatement or redirectUrl will cause the application not to initialize AccessEnabler or to register application for Adobe Pass Authentication and authorization
Note : redirectUrl parameter or redirect_uri in strings.xml should be the value of the domain added in TVE Dashboard for the application in reverse order ( for ex : for domain ‘adobe.com’ added in TVE Dashboard, the redirectUrl should be ‘com.adobe’.
setRequestor
Description: Establishes the identity of the Channel. Each Channel is assigned a unique ID upon registering with Adobe for the Adobe Pass Authentication system. When dealing with SSO and remote tokens the authentication state can change when the application is in the background, setRequestor can be called again when the application is brought into foreground in order to synchronize with the system state (fetch a remote token if SSO is enabled or delete the local token if a logout happened in the meantime).
The server response contains a list of MVPDs together with some configuration information that is attached to the identity of the Channel. The server response is used internally by the Access Enabler code. Only the status of the operation (i.e. SUCCESS/FAIL) is presented to your application via the setRequestorComplete() callback.
If the urls parameter is not used, the resulting network call targets the default service provider URL: the Adobe Release/Production environment.
If a value is provided for the urls parameter, the resulting network call targets all the URLs provided in the urls parameter. All configuration requests are triggered simultaneously in separate threads. The first responder takes precedence when compiling the list of MVPDs. For each MVPD in the list, the Access Enabler remembers the URL of the associated service provider. All subsequent entitlement requests are directed to the URL associated with the service provider that was paired with the target MVPD during the configuration phase.
public void setRequestor(String requestorId)Availability: v3.0+
public void setRequestor(String requestorId, ArrayList<String> urls)Availability: v3.0+
Parameters:
- requestorID: The unique ID associated with the Channel. Pass the unique ID assigned by Adobe to your site when you first registered with the Adobe Pass Authentication service.
- urls: Optional parameter; by default, the Adobe service provider is used http://sp.auth.adobe.com/. This array allows you to specify endpoints for authentication and authorization services provided by Adobe (different instances might be used for debugging purposes). You can use this to specify multiple Adobe Pass Authentication service provider instances. When doing so, the MVPD list is composed of the endpoints from all the service providers. Each MVPD is associated with the fastest service provider; that is, the provider that responded first and that supports that MVPD.
Deprecated:
- signedRequestorID: A copy of the requestor ID that is digitally signed with your private key. .
Callbacks triggered: setRequestorComplete()
logout
Description: Use this method to initiate the logout flow. The logout is the result of a series of HTTP-redirect operations due to the fact that the user needs to be logged out from both Adobe Pass Authentication servers and also from the MVPD’s servers. As a result, this flow will open a ChromeCustomTab window to execute logout.
Availability: v3.0+
Parameters: None
Callbacks triggered: setAuthenticationStatus()
Programmer Implementation Flow
1. Register Application
a. Obtain software_statement and redirect_uri from Adobe Pass ( TVE Dashboard )
b. There are two options to pass these values to Adobe Pass SDK :
In strings.xml add :
<string name="software_statement">[softwarestatement value]</string>
<string name="redirect_uri">application_url.com</string>
Call AccessEnabler.getInstance(appContext,softwareStatement,
redirectUrl)
2. Configure Application
a. setRequestor(requestor_id)
SDK will do the following operations:
-
register application: using software_statement, SDK will obtain a client_id, client_secret, client_id_issued_at, redirect_uris, grant_types. This information will be stored in the application’s internal storage.
-
obtain an access_token using client_id, client_secret and grant_type=“client_credentials” . This access_token will be used on each call made by the SDK to Adobe Pass servers
Token Error Responses :
- in case an MVPD requires Passive Authentication, a Chrome Custom Tab will open to execute passive with that MVPD and will close when complete
b. checkAuthentication()
- true : go to Authorization
- false : go to Select MVPD
c. getAuthentication : SDK will include access_token in call parameters
- mvpd remembered : go to setSelectedProvider(mvpd_id)
- mvpd not selected : displayProviderDialog
- mvpd selected : go to setSelectedProvider(mvpd_id)
d. setSelectedProvider
- mvpd_id authentication url is loaded in ChromeCustomTabs
- login successful : delegate.setAuthenticationStatus ( SUCCESS )
- login canceled : reset MVPD selection
- URL scheme is established as “adobepass://redirect_uri” to capture when the authentication is complete
e. get/checkAuthorization : SDK will include access_token in header as Authorization: Bearer access_token
- if authorization is succesful, a call will be made for obtaining the
media token
f. logout :
- SDK will delete valid token for the current requestor (authentications obtained by other applications and not through SSO will remain valid)
- SDK will open Chrome Custom Tabs to reach mvpd_id logout endpoint. Once completed, the Chrome Custom Tabs will be closed
- URL scheme is established as “adobepass://logout” to capture the moment when logout is complete
- logout will trigger a sendTrackingData(new Event(EVENT_LOGOUT,USER_NOT_AUTHENTICATED_ERROR) and a callback : setAuthenticationStatus(0,“Logout”)
Note: as each call requires an access_token, possible error codes below are handled in the SDK.