While working on the first version of carmesh Android application I had some issues with co-ordination between the app and an embedded Webview browser. The issues manifested in an authentication process which had to run in an embedded browser before handing control back to the application.
While the solution to this is quite well known in general, it’s not so easy to find. The solution is to use the facebook OAuth libraries on the backend, go through an oauth flow in a browser and use retained session information between mobile and server to access the user’s services/data. (Note that this approach does impose responsibilities on the server side – it must ensure that the user’s facebook data is not accessible to others).
Within the context of a mobile app, then, it is necessary to embed a mobile browser – an Android Webview – to go through the authentication flow and to extract session information from the browser once the authentication has been performed. Once the authentication has been performed, the mobile app can present this session identifier when communicating with the server to act on behalf of the user.
The key issue in this approach is how to support interaction between the mobile browser and the application: the mobile application requires use of the mobile browser to perform authentication, but must regain control once this has been performed.
- Create a class with Context as parameter and add it to the constructor
It is worth highlighting that this mechanism does have some security implications: this channel between the Webview and the mobile app needs to be policed to ensure malicious users do not take advantage of it.
Having done all that, we can now use facebook credentials to log in and then use the mobile app to interact naturally with the server.