I’ll keep the name of the provider under my hat. I think it has an issue with Android/iOS.
They want:
POST /oauth/authorize
with a few parameters (the client key, the redirect url, etc…) as the first call to start the oauth flow. The response comes back with location header to go a html page for the login.
With that, it looks like they want us to open a browser to send that first POST to /oauth/authorize. But I don’t believe there’s any reasonable way to open a browser in either Android or iOS with a POST.
I’ve tried sending that initial post within the app, and telling the http client to not do the redirect, then trying to open a browser with the url in the location header, and trying to supply the other headers. They aren’t documenting what’s in that response (In fact the documentation indicates a JSON object as a response, but that’s not happening). I haven’t been able to get that to work either. That does get as far as showing the login page, but after the user logs in, it results in an error (a 404). I’m guessing that’s because I didn’t supply whatever was needed for it know who the partner is, and therefore can’t find the redirect link that the app catches to grab the token.
I have tested sending the redirect link via adb that the app catches it. And it does.
I don’t want to be too quick to tell them their oauth implementation is broken, but it sure feels like it is.
My understanding is both Android and iOS will need to start the external browser with a simple url. The browser will almost certainly send it as a GET.
To add insult to injury, they aren’t responding to support emails or returning calls.
I’m hoping somebody might be able to give me a way to make this work or confirm that it’s broken.