Skip to main content

Android - InboundSSO Module

InboundSSO provides OAuth 2.0 and OIDC functionality to the DevApp. It is an authentication module and replaces the login screen.

Enabling InboundSSO

There are three steps to enable InboundSSO: Add the dependency to build.gradle, update the manifest placeholders array in build.gradle and configuring settings.json.

1. Add the Dependency

In your DevApp's build.gradle, add the InboundSSO dependency to the dependencies block. This is already added, you just need to uncomment it.

dependencies {
    // Provides OAuth 2.0 functionality to the DevApp.
    // Uncomment when using InboundSSO
    implementation "com.q2.app.modules.inboundsso:inboundsso:$q2Version"
}

2. Add Manifest Placeholders

Manifest placeholders are used so your OAuth provider knows how to redirect back to the application after authorization. In your DevApps build.gradle uncomment the manifestPlaceholders field in android.defaultConfig and add your redirectUri. The value is configured in your IDP's (Identity Provider) portal.

android {
    namespace 'com.q2.devapp'

    defaultConfig {
        ...
        // Uncomment when using InboundSSO.
        // replace value with your configuration's redirect scheme. This will be the same as
        // 'signInRedirectUri' in settings.json
        manifestPlaceholders = [
           "webAuthenticationRedirectScheme": "{your redirect scheme}"
        ]
    }
}
tip

The value of "webAuthenticationRedirectScheme" will be the same as the "signInRedirectUri" in settings.json. See Configure settings.json below.

3. Configure settings.json

In your DevApp's settings.json, you need to configure your modules OAuth configuration fields and verify the module's enabled field is set to true.

{
  "name": "inboundSSO",
  "classPath": "com.q2.app.modules.inboundsso.InboundSSOEntryPoint",
  "include": ":modules:inboundsso",
  "data": {
    "buildProperties": {
      "discoveryUrl": "",
      "clientId": "",
      "signInRedirectUri": "",
      "signOutRedirectUri": ""
    }
  },
  "enabled": true
}

Configuration Properties

OAuth configuration lives within the data.buildProperties object and supports the following properties:

  • discoveryUrl (required): The discovery url.
  • clientId (required): Client ID assoicated with your application in your IDP.
  • signInRedirectUri (required): The application schema the authorization page uses to redirect back to the application.
  • signOutRedirectUri (required): The application schema the logout flow uses to redirect back to the application. The host portion must match the signInRedirectUri. For example, if the signInRedirectUri is com.okta.app:/login then the signOutRedirectUri should be com.okta.app:/logout
  • scopes (optional): Scopes granted to the application. Each scope is separated by a single whitespace. If left blank, the value defaults to openid profile offline_access
  • audience (optional): Audience is provided to the authorization request as a query parameter. If audience is not set, no audience is provided.
  • usernameClaim (optional): Username field in the id token.
  • identifierClaim (optional): Identifier field in the ID Token for uniquely identifying a user.
  • customSignInOptions (optional): A JSON string of key-value pairs that will be appended to the authorization request as a series of query parameters. Example of valid input; "{identity_provider=bank, test=value, test2=123}"

If the discovery url is not valid because you have different endpoints for mobile, you can add an oidcEndpoints object to the data object to bypass the discovery url. You will still need to configure required fields of buildProperties.

{
    "name": "inboundSSO",
    "classPath": "com.q2.app.modules.inboundsso.InboundSSOEntryPoint",
    "include": ":modules:inboundsso",
    "data": {
        "buildProperties": {
            ...
        },
        "oidcEndpoints": {
            "issuer": "{your issuer url}",
            "authorizationEndpoint": "{your authorization url}",
            "tokenEndpoint": "{your token url}",
            "userInfoEndpoint": "{your user info url}",
            "jwksUri": "{your JWK endpoint}",
            "introspectionEndpoint": "{your introspection url}",
            "revocationEndpoint": "{your revocation url}",
            "endSessionEndpoint": "{your end session url}",
            "deviceAuthorizationEndpoint": "{your device authorization url}"
        }
    },
    "enabled": true
}
  • issuer (required)
  • authorizationEndpoint (required)
  • tokenEndpoint (required)
  • userInfoEndpoint (required)
  • jwksUri (required)
  • introspectionEndpoint (required)
  • revocationEndpoint (required)
  • endSessionEndpoint (required)
  • deviceAuthorizationEndpoint (required)