Sorry, I think I confused things. Im not building a native app, Im just using the Amazon Alexa Android app. I’ve built a NodeJS service to query the HubSpot API for certain info, but this requires OAuth 2.0. Amazon provides you the ability to link your “skill” with your OAuth flow (so that it can authenticate requests on your behalf).
I reached out to Amazon at the same time, and got this response:
We haven’t seen this specifically, but I can confirm this is a whitelisting issue. Even if the flow is complex you’ll need to whitelist all of the other domains. You are allowed to whitelist up to 25, so although it would require effort on your part there shouldn’t be a technical limitation.
So the issue is that if the OAuth is initiated in an app WebView, then all the domain URLs required through the OAuth flow need to be whitelisted. Otherwise it breaks out of the webview into Chrome (or native Android browser). The problem is that with the HubSpot OAuth flow, there’s various redirects in play. So it’s difficult to gather all these domains. This will include anything from app.hubspot.com to static.hsappstatic.net to google for the Google Login flow.
Is there an example of an Android app that has overcome this issue? Or even how I would go about finding all the domains I need to whitelist?