Oauth2 to Azure and behavior of the hybrid phone app browser

In one of our projects we have the following situation: This app has an Oauth2-Azure integration, which means that users are authorized against Azure. For desktop users this works like a charm. However, Phonegap-app users experience inexplicable behavior. We solved the issue that the user navigates away from the app browser to the phone browser after authorizing against Azure. At least.. we thought so. Our current issue manifests itself when the app user tries to use the barcode scanner and is greeted whith the message 'Unable to detect camera'. The same message appears also when you try to use the scanner widget from a regular browser. The barcode scanner is used at several points for validation of QR-codes and plays a crucial role in the whole process. The barcode scanner works as expected with regular Mendix users in the mobile app. However, for authorization against other background systems (Osisoft) the sign-on via Azure is absolutely necessary. In another project with an older Phonegap & Mendix version we managed to solve this issue with a piece of javascript that keeps the sing-in process within the phonegap app. That doesn't seem to work now.  
3 answers

Hi Jos,

It looks like the page is (still) running in the InAppBrowser, which does not have access to the cordova / phonegap plugins. Do you see the "User redirected to app" log message when debugging the app? If so, the issue might be that when hitting the window.location.reload part, there is still a redirect somewhere. If not, you need to make sure that this part is triggered by detecting that Azure has redirected the user back to the app from the URL.

Do you know if this might be the case? In other words, is there still some kind of redirect in the index.html page which is triggered by reloading the window? If so, this will be automatically opened in an InAppBrowser window again, losing the cordova / phonegap context. 

What we've done for one of our apps is to implement the same mechanism as described by Mendix for implementing SAML SSO on a hybrid app: https://docs.mendix.com/howto/mobile/implement-sso-on-a-hybrid-app-with-mendix-and-saml. The key here is in window.localStorage.setItem("mx-authtoken", token). This token reflects a token from a TokenInformation object (you can find this in the System module) that has been created by the SAML module. This token is detected by the hybrid app and used to create a valid session, without using redirects and/or manual login. One solution could be to change the OAuth implementation to create such a TokenInformation object, return the token to the mobile app some way (for example with a cookie mechanism, see the SAML example and the SAML code where the TokenInformation object is created in saml20\implementation\security\SessionManager.java). If you then set the mx-authtoken with this token, the hybrid app will automatically handle the session creation for you.

Hope this helps!


Hi Jos, I'm experiencing similar issues with ADFS + Barcode scanner and filed a ticket for that (76489). See also https://forum.mendix.com/link/questions/91908. Did you follow https://docs.mendix.com/howto/mobile/implement-sso-on-a-hybrid-app-with-mendix-and-saml ?


First a thank you to Allard and Axel for their elaborate answers. The cause of this issue took a while to find and without their advice it would have been a lot harder if not impossible.

The hardest part was remote/mobile debugging which isn't possible by default with Samsung phones. Even Google states it in the documentation. Ever heard of using ‘audio source’ as a setting for the USB-configuration? See: https://learntech.imsu.ox.ac.uk/blog/remote-debugging-samsung-galaxy-7-edge-with-chrome/ 

After I got this contraption of a debugging setup up and running finding out the cause of the Oauth2 issue was a breeze.

To all app/cloud administrators out there: please do not use capital letters in your URL's. Thank you.