Skip to main content

Android

Deep link setup

For the App to App flow to work properly, a correct deep link configuration is required. That means

This example uses https://github.com/openid/AppAuth-Android and implements the App to App flow as specified by gematik in https://wiki.gematik.de/display/IDPKB/App-App+Flow.

Source: https://github.com/azuma-healthtech-public/mimoto-examples/tree/main/android-app-auth-code-exchange

Therefore, this example uses:

Pre-Requirements: Configuration in mimoto

In our example, we have configured the Application in azuma mimoto as follows:

Screenshot: Application Configuration

Flow (with IDP list in web browser)

  1. DiGA-App initiates auth flow via OpenID Connect Authorization Code against azuma mimoto. This opens a web browser and displays the list of available IDPs.
  2. User selects an IDP and clicks on 'login', which opens the IDP-App. This is our mock application (which is configured with Deep Link: https://mimoto-gematik-mock.azuma-health.tech/idp/par)
  3. User clicks on 'login' in IDP-App, which opens the requested redirect url (in our example: https://mimoto-example-app.azuma-health.tech/app/ce), which in turn opens the DiGA-App
  4. The Deep Link Url in DiGA-App opens the exchange activity, which exchanges the received code via azuma mimoto for a new code, which can be used to finalize the process. The actual API uses the original received redirect url and returns a valid redirect url, as expected by AppAuth to continue the process.
  5. DiGA-App uses the returned redirect url to finalize the auth flow via AppAuth by exchanging the received codes for Access Token and ID Token.
  6. At this point, you could exchange Access Token and ID Token for your own tokens/session/....

See for more details about the exchange API.

Flow (native IDP list)

  1. DiGA-App retrieves the list of available IDPs and displays them natively. See for the idp-API.
  2. Once the user selects the target IDP, DiGA-App initiates auth flow via OpenID Connect Authorization Code against azuma mimoto for the selected IDP.
  3. azuma mimoto returns an URL, that needs to be opened in the platform. This opens the authenticator app of the selected IDP if installed. If not installed, the IDP landing page will be opened in the default browser.
  4. User clicks on 'login' in IDP-App, which opens the requested redirect url (in our example: https://mimoto-example-app.azuma-health.tech/app/ce), which in turn opens the DiGA-App (as it is a Deep Link Url (Android App Link / iOS Universal Link) for that app)
  5. The Deep Link Url contains code and state that need to be send to azuma mimoto to exchange for a new code that can be used to finalize the flow started in step 2. See for more details about the exchange API.
  6. Once the exchange call is completed, DiGA-App can finalize the flow and retrieve Access Token and ID Token, where only ID Token is currently relevant.
  7. At this point, you could exchange Access Token and ID Token for your own tokens/session/....

Alternative Flow

If you have a full backend integration against azuma mimoto, which you can start OpenID Connect Authorization Code against, you can

  • initiate the flow against your own backend
  • exchange code via your own backend (which in turn exchanges with azuma mimoto)

Code

Known Issues

Solution: Make sure to configure your app to receive the deep link (this should be enabled by default). This should be available in app settings -> defaults -> supported web addresses.

Screenshot: Deep Link Configuration