Having a problem with OAuth 2.0 flow in Android app



Im having an issue with OAuth 2.0 on a native Android app.

I’ve set up a HubSpot OAuth 2.0 flow, and am using the Amazon Alexa android app to create a skill - which requires account linking using OAuth 2.0. All the configuration parameters are correct but when I try to initialize the OAuth flow the WebView inside the app is not redirecting the first request (which is to https://app.hubspot.com/login/ with some parameters). The page just sits blank (see the screenshot).

Have you had any experience with this kind of issue before?



@smcelhinney I don’t believe we have tested out our oauth flow for an Alexa skill. Can you run the flow in an IDE in debugger mode and see if you get any errors? What did you use to build the app? Android Studio or eclipse?


Sorry, I think I confused things. Im not building a native app, Im just using the Amazon Alexa Android app. I’ve built a NodeJS service to query the HubSpot API for certain info, but this requires OAuth 2.0. Amazon provides you the ability to link your “skill” with your OAuth flow (so that it can authenticate requests on your behalf).

I reached out to Amazon at the same time, and got this response:

We haven’t seen this specifically, but I can confirm this is a whitelisting issue. Even if the flow is complex you’ll need to whitelist all of the other domains. You are allowed to whitelist up to 25, so although it would require effort on your part there shouldn’t be a technical limitation.

So the issue is that if the OAuth is initiated in an app WebView, then all the domain URLs required through the OAuth flow need to be whitelisted. Otherwise it breaks out of the webview into Chrome (or native Android browser). The problem is that with the HubSpot OAuth flow, there’s various redirects in play. So it’s difficult to gather all these domains. This will include anything from app.hubspot.com to static.hsappstatic.net to google for the Google Login flow.

Is there an example of an Android app that has overcome this issue? Or even how I would go about finding all the domains I need to whitelist?