Merge pull request #2733 from brandonpage/allow-browser-auth

brandonpage · web-flow · commit abaf21e15383 · 2025-06-30T17:19:57.000-07:00
Revert 13.0 Advanced Auth behavior when useWebServerAuthentication is false.
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/LoginActivity.kt b/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/LoginActivity.kt
@@ -102,6 +102,7 @@ import androidx.core.content.ContextCompat.getMainExecutor
 import androidx.core.net.toUri
 import androidx.core.view.WindowCompat
 import androidx.fragment.app.FragmentActivity
+import androidx.lifecycle.lifecycleScope
 import com.salesforce.androidsdk.R.color.sf__background
 import com.salesforce.androidsdk.R.color.sf__background_dark
 import com.salesforce.androidsdk.R.color.sf__primary_color
@@ -143,6 +144,7 @@ import com.salesforce.androidsdk.util.SalesforceSDKLogger.e
 import com.salesforce.androidsdk.util.SalesforceSDKLogger.w
 import com.salesforce.androidsdk.util.UriFragmentParser
 import kotlinx.coroutines.CoroutineScope
+import kotlinx.coroutines.Dispatchers
 import kotlinx.coroutines.Dispatchers.Default
 import kotlinx.coroutines.Dispatchers.IO
 import kotlinx.coroutines.launch
@@ -316,11 +318,18 @@ open class LoginActivity : FragmentActivity() {
                 }
             } else {
                 with(SalesforceSDKManager.getInstance()) {
-                    if (useWebServerAuthentication) {
-                        // Fetch well known config and load in custom tab if required.
-                        fetchAuthenticationConfiguration {
-                            if (isBrowserLoginEnabled) {
+                    // Fetch well known config and load in custom tab if required.
+                    fetchAuthenticationConfiguration {
+                        if (isBrowserLoginEnabled) {
+                            if (useWebServerAuthentication) {
                                 viewModel.loginUrl.value?.let { url -> loadLoginPageInCustomTab(url, customTabLauncher) }
+                            } else {
+                                /* Reload the webview now that isBrowserLoginEnabled has been set
+                                   to true so that we generate an authorization URL with PKCE values.  */
+                                lifecycleScope.launch(Dispatchers.Main) {
+                                    viewModel.reloadWebView()
+                                    viewModel.loginUrl.value?.let { url -> loadLoginPageInCustomTab(url, customTabLauncher) }
+                                }
                             }
                         }
                     }
@@ -923,25 +932,19 @@ open class LoginActivity : FragmentActivity() {
                         // Show loading while we PKCE and/or create user account.
                         viewModel.authFinished.value = true
 
-                        // Determine if presence of override parameters require the user agent flow.
-                        val overrideWithUserAgentFlow = viewModel.isUsingFrontDoorBridge
-                                && viewModel.frontdoorBridgeCodeVerifier == null
                         when {
-                            SalesforceSDKManager.getInstance().useWebServerAuthentication
-                                    && !overrideWithUserAgentFlow ->
-
+                            viewModel.useWebServerFlow ->
                                 viewModel.onWebServerFlowComplete(
                                     params["code"],
                                     ::onAuthFlowError,
-                                    ::onAuthFlowSuccess
+                                    ::onAuthFlowSuccess,
                                 )
-
                             else ->
                                 CoroutineScope(Default).launch {
                                     viewModel.onAuthFlowComplete(
                                         TokenEndpointResponse(params),
                                         ::onAuthFlowError,
-                                        ::onAuthFlowSuccess
+                                        ::onAuthFlowSuccess,
                                     )
                                 }
                         }
diff --git a/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/LoginViewModel.kt b/libs/SalesforceSDK/src/com/salesforce/androidsdk/ui/LoginViewModel.kt
@@ -144,6 +144,14 @@ open class LoginViewModel(val bootConfig: BootConfig) : ViewModel() {
     protected open val authorizationDisplayType =
         SalesforceSDKManager.getInstance().appContext.getString(oauth_display_type)
 
+    internal val useWebServerFlow: Boolean
+        get() = with(SalesforceSDKManager.getInstance()) {
+            // Browser based authentication requires the Web Server flow for PKCE security.
+            (useWebServerAuthentication || isBrowserLoginEnabled)
+                    // QR Code login may require User Agent flow.
+                    && !(isUsingFrontDoorBridge && frontdoorBridgeCodeVerifier == null)
+        }
+
     /**
      * Setting this option to true will enable a mode where only a custom tab will be shown.  The first server will be
      * launched in a custom tab immediately and the user will not be able to switch servers.  The LoginActivity is
@@ -309,12 +317,11 @@ open class LoginViewModel(val bootConfig: BootConfig) : ViewModel() {
             else -> additionalParameters
         }
 
-        // NB code verifier / code challenge are only used when useWebServerAuthentication is true
         val codeVerifier = getRandom128ByteKey().also { codeVerifier = it }
         val codeChallenge = getSHA256Hash(codeVerifier)
 
         val authorizationUrl = OAuth2.getAuthorizationUrl(
-            SalesforceSDKManager.getInstance().useWebServerAuthentication,
+            useWebServerFlow,
             SalesforceSDKManager.getInstance().useHybridAuthentication,
             URI(server),
             clientId,
