openid / appauth-android Goto Github PK

Hi!
When the user doesn't have the Chrome app the Custom Tab will open the browser by default making the application UI ugly in my opinion. Is there a chance that I can open the login url on a webview? I know that the instructions says no but I still want to know if there's a chance.

I need to add a "client_secret" when I'm doing the token request. How can I add this?

OAuth2 and OpenID Connect make use of space-delimited string lists in a number of parameters (e.g. scope, prompt). While we currently check that these strings are null or not empty, we are not checking that they are ASCII-only.

Hi,
I'm imported the project into Android Studio and it doesn't build.
It complains at line 26:
def grgit = org.ajoberstar.grgit.Grgit.open(dir: '.')
What should I do?

Moreover, for every Gradle command, lint is saying "cannot resolve symbol"

OpenID Connect Core 1.0, Section 3.1.2.1,
"prompt" parameter:

OPTIONAL. Space delimited, case sensitive list of ASCII string values that specifies whether the Authorization Server prompts the End-User for reauthentication and consent. The defined values are:

none
The Authorization Server MUST NOT display any authentication or consent user interface pages. An error is returned if an End-User is not already authenticated or the Client does not have pre-configured consent for the requested Claims or does not fulfill other conditions for processing the request. The error code will typically be login_required, interaction_required, or another code defined in Section 3.1.2.6. This can be used as a method to check for existing authentication and/or consent.

login
The Authorization Server SHOULD prompt the End-User for reauthentication. If it cannot reauthenticate the End-User, it MUST return an error, typically login_required.

consent
The Authorization Server SHOULD prompt the End-User for consent before returning information to the Client. If it cannot obtain consent, it MUST return an error, typically consent_required.

select_account
The Authorization Server SHOULD prompt the End-User to select a user account. This enables an End-User who has multiple accounts at the Authorization Server to select amongst the multiple accounts that they might have current sessions for. If it cannot obtain an account selection choice made by the End-User, it MUST return an error, typically account_selection_required.

Will android account manager be supported in future ?

Multiple requests to the AuthorizationService result in multiple instances of the Custom tabs from opening. We should handle requests more gracefully and prevent requests with the same requestId from going through.

OPTIONAL. String value used to associate a Client session with an ID Token, and to mitigate replay attacks. The value is passed through unmodified from the Authentication Request to the ID Token. Sufficient entropy MUST be present in the nonce values used to prevent attackers from guessing values. For implementation notes, see Section 15.5.2.

Section 3.2.2.1, "Authentication Request" specifies that this parameter is REQUIRED for implicit flow authentication requests (those with response type id_token or id_token token).

I am trying to do openID connect Auth, successfully got AuthorizationResponse, but getting:

AuthorizationException: {"type":0,"code":3,"errorDescription":"Network error"}
caused by

java.io.FileNotFoundException: http://api.my_addr.com:8080/connect/token

on line #154 of AuthorizationService.class
is = conn.getInputStream();
I found answer on stackoverflow (http://stackoverflow.com/questions/9365829/filenotfoundexception-for-httpurlconnection-in-ice-cream-sandwich), but I cannot edit library code.

OpenID Connect Core 1.0, Section 5.5, claims parameter:

OPTIONAL. This parameter is used to request that specific Claims be returned. The value is a JSON object listing the requested Claims.

An example Claims request is as follows:

{
  "userinfo":
  {
      "given_name": {"essential": true},
      "nickname": null,
      "email": {"essential": true},
      "email_verified": {"essential": true},
      "picture": null,
      "http://example.info/claims/groups": null
  },
  "id_token":
  {
      "auth_time": {"essential": true},
      "acr": {"values": ["urn:mace:incommon:iap:silver"] }
  }
}

I followed the instructions in app/README.md for configuring the demo app included in this repository with Google Sign-In and found some things that maybe could be made clearer:

• The enabling Google services page for Google Sign-In expects the SHA1 fingerprint of the certificate, while the command shown for extracting fingerprints picks SHA256 (via grep SHA256). The command from e.g. https://support.google.com/cloud/answer/6158849?hl=en#android should be shown/linked instead.
• There is no mention of having to change the value of google_enabled in res/values/idp_configs.xml to true (kind of obvious, but I missed it the first time I edited the file).

OpenID Connect Core 1.0, Section 3.1.2.1, acr_values parameter:

OPTIONAL. Requested Authentication Context Class Reference values. Space-separated string that specifies the acr values that the Authorization Server is being requested to use for processing this Authentication Request, with the values appearing in order of preference. The Authentication Context Class satisfied by the authentication performed is returned as the acr Claim Value, as specified in Section 2. The acr Claim is requested as a Voluntary Claim by this parameter.

OpenID Connect Core 1.0, Section 3.1.2.1, id_token_hint parameter:

OPTIONAL. ID Token previously issued by the Authorization Server being passed as a hint about the End-User's current or past authenticated session with the Client. If the End-User identified by the ID Token is logged in or is logged in by the request, then the Authorization Server returns a positive response; otherwise, it SHOULD return an error, such as login_required. When possible, an id_token_hint SHOULD be present when prompt=none is used and an invalid_request error MAY be returned if it is not; however, the server SHOULD respond successfully when possible, even if it is not present. The Authorization Server need not be listed as an audience of the ID Token when it is used as an id_token_hint value.

If the ID Token received by the RP from the OP is encrypted, to use it as an id_token_hint, the Client MUST decrypt the signed ID Token contained within the encrypted ID Token. The Client MAY re-encrypt the signed ID token to the Authentication Server using a key that enables the server to decrypt the ID Token, and use the re-encrypted ID token as the id_token_hint value.

Hello all,
I've downloaded and run locally mitreid server, and I'm trying to integrate it with this app, following the instructions, but I have issues with TokenActivity, to be more specific I get the snackbar saying:
"Token refresh Failed"
and debugging I found out that there is an "AuthorizationException" whose json is:
{"type":0,"code":3,"errorDescription":"Network error"}

The issue is on token request (I debugged it), because i can see the login and the redirect works correctly (I see the app going on the web server apps list), but token won't work.
I don't think it is an issue of a mitre configuration (but it could be?),

The grant type is set to: "authorization code" and "refresh", under response type, "code" "token" and "id_token" are enabled.

What else can I do? the token endpoint is correct, but is not working!

In AuthorizationService::TokenRequestTask::doInBackground(), the URL that is constructed (local variable 'url' inside try block) is missing the port from the request URI. This omission seems to cause FileNotFoundException when connecting to the token endpoint.

Hi,

I'm trying to get this library to work with the Microsoft v2 Authentication Endpoint. I'm running into the following error:

java.lang.RuntimeException: Unable to start activity ComponentInfo{net.openid.appauthdemo/net.openid.appauth.RedirectUriReceiverActivity}: java.lang.UnsupportedOperationException: This isn't a hierarchical URI.

The exception is thrown in RedirectUriReceiverActivity.

The problem is that the Microsoft URI format is like this urn:ietf:wg:oauth:2.0:oob and Uri.getQueryParameter doesn't like it.

Is there any workaround to make it work with this provider?
Thanks for the great work, by the way.

Are there any plans to support the Hybrid Flow described in section 2 of http://openid.net/specs/openid-connect-implicit-1_0.html?

OpenID Connect Core 1.0, Section 3.1.2.1, "display" parameter:

OPTIONAL. ASCII string value that specifies how the Authorization Server displays the authentication and consent user interface pages to the End-User. The defined values are:

page
The Authorization Server SHOULD display the authentication and consent UI consistent with a full User Agent page view. If the display parameter is not specified, this is the default display mode.

popup
The Authorization Server SHOULD display the authentication and consent UI consistent with a popup User Agent window. The popup User Agent window should be of an appropriate size for a login-focused dialog and should not obscure the entire window that it is popping up over.

touch
The Authorization Server SHOULD display the authentication and consent UI consistent with a device that leverages a touch interface.

wap
The Authorization Server SHOULD display the authentication and consent UI consistent with a "feature phone" type display.

AuthorizationServiceConfiguration.fetchFromIssuer("https://accounts.google.com") fails with the following Exception.

Caused by: java.io.FileNotFoundException: https://accounts.google.com/.well-known%2Fopenid-configuration

Hello.

I managed to include Keycloak logout support in my company. What I did was copy the following files:

• AuthorizationService => LogoutService
• AuthorizationRequest => LogoutRequest
• RedirectUriReceiverActivity => LogoutUriReceiverActivity
• PendingIntentStore => PendingLogoutIntentStore

So basically I used the same CustomTab/Browser authorization mechanism but for logout. I'm aware open id connect logout is still a draft. However it seemed to me that the code is not generic enough to allow "CustomTab commands" other than login.

What I want to know is if this is correct and if it's not what can I do to avoid copy/paste?

I need to add a "client_secret" when I'm doing the token request. How can I add this?

I'm trying to get the demo project working to authenticate me with Google. I have two problems:

1. The AppAuth-Android framework isn't sending the required client_secret parameter when it makes its token request. I can fix this from the client side by passing in an additional_parameters map.
2. The response from Google includes an id_token but not a refresh_token. Then when I press the "View user info" button that appears on TokenActivity it crashes because of an invalid state exception - it doesn't have the necessary refresh token

Any ideas?

Need to validate what happens with AppAuth if you try and do an authorization request in a Work profile without a browser being present in the Work profile.

Generally speaking if you fire a browser intent in a Work profile with no browser, it will open the personal browser, and the OAuth flow will not complete successfully (intents from work->personal are one-way and can't be returned).

Ideally we would catch this condition before firing any intents.

It seems gradle can't find "org.ajoberstar.grgit.Grgit" ?

Error:(132, 0) Cause: repository not found: /Users/cwang/Downloads/AppAuth-Android-master
Open File

Hello,
we have integrated this into an openid connect solution without issue really top notch, however we have run into a problem. In essence, our app requires to switch to SMS to get a one time password, during authentication. When we do, we lose the application state and we no longer see the screen for the OTP in the custom tab.

Is there a way to force the auth state to be stored and restored upon coming back?

Documentation is at https://dirg.org.umu.se/static/oictest/how_to_use_rp_test.html
The code is at https://github.com/rohe/oidctest/

Notes:

• Can only test RPs that can use OP configuration discovery information
• Path specifies behavior of test OP
• Uses IP address of RP as correlation handle for requests
• Logs at /log//

Support validating JWTs and extracting their claims as a map. This will require the ability to either dynamically use the jwks_uri keys provided by the provider's discovery document, or a set of acceptable keys provided by the developer.

The prompt value is serialized but not deserialized, resulting in the loss of the original value.

I should preface this by stating that I'm only looking at this library as sample code (for the "modernized" OAUTH flow), and have no plans to actually use it.

It's not apparent to me if the sample app and the library would be able to handle this scenario:

1 - User initiates approval flow (the initial stage where "this app would like to know your email, name, ...")

2 - The app makes a PendingIntent for TokenActivity and the library stores it in PendingIntentStore

3 - Chome (or some other browser) comes up in front of the app, user starts interacting with it

4 - Android kills the app which is now in background (memory pressure, whatever). PendingIntentStore and everything in it is gone

5 - User finally presses "Agree", the browser fires the "custom scheme intent"

6 - Android creates a new process for the app and launches RedirectUriReceiverActivity

And now:

7 - PendingIntentStore will not have the original intent and getOriginalRequest inside RedirectUriReceiverActivity will return null and the subsequent logic for handling the authorization code will fail.

That is, unless I'm missing something and MainActivity (which was in front when Chrome with the authorization screen popped up) or something else is going to re-create the original pending intent and register it in PendingIntentStore before RedirectUriReceiverActivity needs to use it.

Another interesting case is the user changing the device's orientation while on the approval screen in the web browser. Then Android may destroy and re-create MainActivity and that, from looking at the code, will launch a whole new "flow" for approval.

I've encountered a leak problem. I was using a simulator without Chrome installed. On a Chrome installed simulator the leak won't happen.

This leak was occurred when I hit the back button and while the MainActivity turned into background.

And when I dig a little deeper into the problem I found that the mBrowserPackage in the BrowserHandler was resolved to com.android.browser and the return value of CustomTabsClient#bindCustomTabsService(...) is false. So the connection is not retained in the BrowserHandler and when BrowserHandler#unbind() is called, nothing is unbind.

I've tried to retained the connection even when CustomTabsClient#bindCustomTabsService(...) returns false. It seems solve the leak problem, but I'm not sure will there be any side effects.

07-06 10:12:45.442 3929-3929/net.openid.appauthdemo E/ActivityThread: Activity net.openid.appauthdemo.MainActivity has leaked ServiceConnection net.openid.appauth.BrowserHandler$1@2206f76 that was originally bound here
                                                                      android.app.ServiceConnectionLeaked: Activity net.openid.appauthdemo.MainActivity has leaked ServiceConnection net.openid.appauth.BrowserHandler$1@2206f76 that was originally bound here
                                                                          at android.app.LoadedApk$ServiceDispatcher.<init>(LoadedApk.java:1092)
                                                                          at android.app.LoadedApk.getServiceDispatcher(LoadedApk.java:986)
                                                                          at android.app.ContextImpl.bindServiceCommon(ContextImpl.java:1303)
                                                                          at android.app.ContextImpl.bindService(ContextImpl.java:1286)
                                                                          at android.content.ContextWrapper.bindService(ContextWrapper.java:604)
                                                                          at android.support.customtabs.CustomTabsClient.bindCustomTabsService(CustomTabsClient.java:60)
                                                                          at net.openid.appauth.BrowserHandler.bindCustomTabsService(BrowserHandler.java:86)
                                                                          at net.openid.appauth.BrowserHandler.<init>(BrowserHandler.java:61)
                                                                          at net.openid.appauth.AuthorizationService.<init>(AuthorizationService.java:101)
                                                                          at net.openid.appauthdemo.MainActivity.onCreate(MainActivity.java:63)
                                                                          at android.app.Activity.performCreate(Activity.java:6237)
                                                                          at android.app.Instrumentation.callActivityOnCreate(Instrumentation.java:1107)
                                                                          at android.app.ActivityThread.performLaunchActivity(ActivityThread.java:2369)
                                                                          at android.app.ActivityThread.handleLaunchActivity(ActivityThread.java:2476)
                                                                          at android.app.ActivityThread.-wrap11(ActivityThread.java)
                                                                          at android.app.ActivityThread$H.handleMessage(ActivityThread.java:1344)
                                                                          at android.os.Handler.dispatchMessage(Handler.java:102)
                                                                          at android.os.Looper.loop(Looper.java:148)
                                                                          at android.app.ActivityThread.main(ActivityThread.java:5417)
                                                                          at java.lang.reflect.Method.invoke(Native Method)
                                                                          at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:726)
                                                                          at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:616)

Maybe you should replace the check at line
https://github.com/openid/AppAuth-Android/blob/master/library/java/net/openid/appauth/AuthorizationServiceConfiguration.java#L169

with

JsonUtil.getUriIfDefined(json, KEY_REGISTRATION_ENDPOINT));

Apologize for the generic issue but would love to see the library and sample like other android specific libraries from google open source like google-services/signin
or developer relations library like easypermissions (for non-official ones)

The talk and the premises addressed here are bleeding edge (custom tabs, PKCE etc.) but setting it up is a huge pain in the ass.

Is adding this in firebase authentication on the roadmap?

OpenID Connect Core 1.0, Section 7.2.1, registration parameter:

OPTIONAL. This parameter is used by the Client to provide information about itself to a Self-Issued OP that would normally be provided to an OP during Dynamic Client Registration. The value is a JSON object containing Client metadata values, as defined in Section 2.1 of the OpenID Connect Dynamic Client Registration 1.0 specification. The registration parameter SHOULD NOT be used when the OP is not a Self-Issued OP.

OpenID Connect Core 1.0, Section 6.0, request_uri parameter:

OPTIONAL. This parameter enables OpenID Connect requests to be passed by reference, rather than by value. The request_uri value is a URL using the https scheme referencing a resource containing a Request Object value, which is a JWT containing the request parameters.

I've found what seems to be an error on the BrowserPackageHelper when no default browser is defined.
I get a java.lang.NullPointerException on the isFullBrowser method because the ResolveInfo is not null however the ResolveInfo.filter is null.
This seems to be the documented behaviour for the PackageManager.resolveActivity method when more than one option exists (i.e. no default)- "If multiple matching activities are found and there is no default set, returns a ResolveInfo containing something else, such as the activity resolver."

I'm trying to get the demo app up and running against an IDP/OP in my domain (so not Google Sign-In).
How do I specify the redirect URI in idp_configs.xml/idp_configs_optional.xml, such that the authentication response is delivered through an Intent (similar to the case for Google Sign-In)?
The example documentation only shows an HTTP-url as redirect_uri, which I think assumes another web server receiving the response and not the demo app?
Do I need to add another intent filter in the manifest, similar to

If there is no browser at all user would get unexpected ActivityNotFoundException:

android.content.ActivityNotFoundException: No Activity found to handle Intent { act=android.intent.action.VIEW dat=https://accounts.google.com/o/oauth2/v2/auth?redirect_uri=com.googleusercontent.apps.nope:/oauth2redirect&client_id=529788761403-aj9ff2svir6lsqjnck6jnjmqhfop77mk.apps.googleusercontent.com&response_type=code&state=Od4cn-XBtdi3Qdjnl5t7wg&scope=openid profile email&code_challenge=WJOmc7Hs3GcF0FpQ7dUJ3ISZxwETpkSmBods2dgMLr4&code_challenge_method=S256 flg=0x40000000 pkg=com.android.chrome (has extras) }
at android.app.Instrumentation.checkStartActivityResult(Instrumentation.java:1551)
at android.app.Instrumentation.execStartActivity(Instrumentation.java:1422)
at android.app.Activity.startActivityForResult(Activity.java:3375)
at android.app.Activity.startActivityForResult(Activity.java:3331)
at android.support.v4.app.FragmentActivity.startActivityForResult(FragmentActivity.java:843)
at android.app.Activity.startActivity(Activity.java:3546)
at android.app.Activity.startActivity(Activity.java:3514)
at net.openid.appauth.AuthorizationService.performAuthorizationRequest(AuthorizationService.java:173)
at net.openid.appauthdemo.MainActivity.makeAuthRequest(MainActivity.java:143)
at net.openid.appauthdemo.MainActivity.access$100(MainActivity.java:54)
at net.openid.appauthdemo.MainActivity$1.onFetchConfigurationCompleted(MainActivity.java:89)
at net.openid.appauth.AuthorizationServiceConfiguration$ConfigurationRetrievalAsyncTask.onPostExecute(AuthorizationServiceConfiguration.java:325)
at net.openid.appauth.AuthorizationServiceConfiguration$ConfigurationRetrievalAsyncTask.onPostExecute(AuthorizationServiceConfiguration.java:266)
at android.os.AsyncTask.finish(AsyncTask.java:631)
at android.os.AsyncTask.access$600(AsyncTask.java:177)
at android.os.AsyncTask$InternalHandler.handleMessage(AsyncTask.java:644)
at android.os.Handler.dispatchMessage(Handler.java:99)
at android.os.Looper.loop(Looper.java:153)
at android.app.ActivityThread.main(ActivityThread.java:5022)
at java.lang.reflect.Method.invokeNative(Native Method)
at java.lang.reflect.Method.invoke(Method.java:511)
at com.android.internal.os.ZygoteInit$MethodAndArgsCaller.run(ZygoteInit.java:1032)
at com.android.internal.os.ZygoteInit.main(ZygoteInit.java:790)
at dalvik.system.NativeStart.main(Native Method)

Consider a scenario where the client requests an ID token, access token and refresh token on their authorization request. This is granted, and after exchange of the authorization code, they receive the requested tokens. An IDP can freely choose different expiration times for access tokens and ID tokens, so let's say that an ID token lasts 24 hours, and an access token lasts 1 hour.

After an hour of using the tokens with the help of AuthState.performActionWithFreshTokens, the access token expires and we request fresh tokens. The received token response replaces the original token response, which contained the (still valid) ID token. This response may or may not contain a new ID token; this is entirely up to the behavior of the IDP - I can't see anything in the spec that would require a refresh exchange to always yield the same tokens as the original code exchange.

So, the original ID token is lost when the token response is replaced, and there may not be a new one in the new token response to replace it. Should AuthState be storing token values independently of the authorization and token responses, to avoid this scenario?

I'm trying to use the library in conjunction with a 3rd party OAuth provider. I'm having issues though trying to return the Authorization Code back from the RedirectUriReceiverActivity. I have 2 options the server provides: either use http://localhost as the redirect URI and the Authorization Code will be returned as a query parameter; or use urn:ietf:wg:oauth:2.0:oob as the redirect URI and receive the code inside the web browser title.

Now I have 2 questions:

1. Are you going to add support for retrieving the Authorization Code from the browser title bar? I suppose not, but thought of asking anyway.
2. When the OAuth server redirects the client to http://localhost, the browser obviously says "This site can't be reached", but the authorization service doesn't return the code to the calling app, it just keeps displaying the browser window. I've already added the URI scheme as shown in the sample code below. What seems to be the problem in this case?

Calling the authorization service:

Uri authUri = Uri.parse(URI_AUTH);
Uri redirectUri = Uri.parse("http://localhost");
Uri tokenUri = Uri.parse(URI_TOKEN);
AuthorizationServiceConfiguration authorizationServiceConfiguration =
        new AuthorizationServiceConfiguration(authUri, tokenUri);
AuthorizationRequest authorizationRequest = new AuthorizationRequest.Builder(
        authorizationServiceConfiguration,
        CLIENT_ID,
        AuthorizationRequest.RESPONSE_TYPE_CODE,
        redirectUri)
        .build();
AuthorizationService service = new AuthorizationService(context);
Intent postAuthIntent = new Intent(context, SignInActivity.class);
service.performAuthorizationRequest(
        authorizationRequest,
        PendingIntent.getActivity(context, authorizationRequest.hashCode(), postAuthIntent, 0));

URI scheme:

<activity android:name="net.openid.appauth.RedirectUriReceiverActivity">
      <intent-filter>
           <action android:name="android.intent.action.VIEW"/>
           <category android:name="android.intent.category.DEFAULT"/>
           <category android:name="android.intent.category.BROWSABLE"/>
           <data android:scheme="localhost"/>
      </intent-filter>
</activity>

I'llconfigure my Activity Manifest with net.openid.appauth.RedirectUriReceiverActivity according with guide. But after authorization is complete and callback page is shown in system browser onCreate isn't called. And there is no possibility to check data recevied from oAuth. Can it be caused by such error - "E/Surface: getSlotFromBufferLocked: unknown buffer: 0xa214d070" which i see in logs after auth initial request is perfromed? Thank you

OpenID Connect Core 1.0, Section 5.2, claims_locales parameter:

OPTIONAL. End-User's preferred languages and scripts for Claims being returned, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.

OpenID Connect Core 1.0, Section 3.1.2.1, ui_locales parameter:

OPTIONAL. End-User's preferred languages and scripts for the user interface, represented as a space-separated list of BCP47 [RFC5646] language tag values, ordered by preference. For instance, the value "fr-CA fr en" represents a preference for French as spoken in Canada, then French (without a region designation), followed by English (without a region designation). An error SHOULD NOT result if some or all of the requested locales are not supported by the OpenID Provider.

OpenID Connect Core 1.0, Section 6.0, request parameter:

OPTIONAL. This parameter enables OpenID Connect requests to be passed in a single, self-contained parameter and to be optionally signed and/or encrypted. The parameter value is a Request Object value, as specified in Section 6.1. It represents the request as a JWT whose Claims are the request parameters.

It will likely be preferable to support this as a flag on the authorization request object rather than a parameter in the conventional way.

Use Application.ActivityLifecycleCallbacks.html to cleanup the service connections onStop. We can also investigate if we should use onPause.

OpenID Connect Core 1.0, Section 3.1.2.1, login_hint parameter:

OPTIONAL. Hint to the Authorization Server about the login identifier the End-User might use to log in (if necessary). This hint can be used by an RP if it first asks the End-User for their e-mail address (or other identifier) and then wants to pass that value as a hint to the discovered authorization service. It is RECOMMENDED that the hint value match the value used for discovery. This value MAY also be a phone number in the format specified for the phone_number Claim. The use of this parameter is left to the OP's discretion.

An outstanding TODO for handling authorization errors exists in AuthState.update. As it stands, AuthState does nothing when an error is reported.

OpenID Connect Core 1.0, Section 3.1.2.1, max_age parameter:

OPTIONAL. Maximum Authentication Age. Specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the OP. If the elapsed time is greater than this value, the OP MUST attempt to actively re-authenticate the End-User. (The max_age request parameter corresponds to the OpenID 2.0 PAPE max_auth_age request parameter). When max_age is used, the ID Token returned MUST include an auth_time Claim Value.

Is there a way to determine if the user closed the authorization flow, either via the close button on the chrome custom tab, or by hitting the android back button.

I'm trying to implement a re-auth flow in case of token refresh failure. If that happens, i'd like the user to reauth and if successful stay where they are. If they close it themselves, i want to just close all the open activities on the app.

Just to gather some changes; when the dynamic client registration is completed (as of #61), is this library ready for v0.3.0 soon?
PR #66 and #67 are contingent on a new version (and should not be merged until that is released).
In connection with a new version, the javadoc hosted at the github pages will also need to be re-generated.

Question:
As far as I can see from the documentation, the implicit grant type for OAuth 2.0 does not seem to be supported yet. Is my understanding correct?