Integrate authentication widget for strong MFA

This topic describes how to integrate the authentication widget along with OIDC Authorization PKCE grant into the mobile app using the Android SDK

Provide an authentication and authorization flow with strong MFA and self-service registration by embedding the authentication widget into the SDK's Android mobile app.


Step 1: Setup the OpenID connect custom app

Step 2: Create authentication rule

Create an authentication rule that challenges the user to authenticate with MFA when the mobile app requests it. Refer to the following link for steps and instructions for creating an authentication rule in the Admin Portal.

To find your authentication Policies in the Admin Portal, navigate Core Services > Policies > Authentication Policy. Refer to the following figures for an example.

14281428 14281428

Step 3: Configure authentication Widget:


Please refer to to get information on how to use widgets

To find your authentication widgets in the Admin Portal, navigate to Web apps > Widgets. Refer to the following figures for an example.


Link the OIDC app with the authentication widget


How it works?


Integrate authentication widget with mobile app

The authentication client must have a configuration to interact with the CyberArk Identity Server. The Android app redirects the user to Authentication Widget for authentication. To request authorization, the Android app must redirect the user (browser) to make a secure HTTP call to the authorization endpoint with the following parameters.

Step 1: Create a builder object as shown below:

val cyberArkAccountBuilder = CyberArkAccountBuilder.Builder()
val cyberArkAccountBuilder = CyberArkAuthWidgetBuilder.Builder()

Step 2: Set up a view model and start the authentication widget flow

Use the CyberArkAuthProvider class, and the CyberArkAccountBuilder, CyberArkAuthWidgetBuilder parameters to set up a view model and start the authentication widget flow. The start authentication widget flow pattern is as follows:

val authResponseHandler: LiveData<ResponseHandler<String>> =
        .start(this, cyberArkAuthWidgetBuilder)
Authentication widget response handler
authWidgetResponseHandler.observe(this, {
          when (it.status) {
              ResponseStatus.SUCCESS -> {// Initiate authorize endpoint
              ResponseStatus.ERROR -> {
              ResponseStatus.LOADING -> {

Step 3: Set up a view model and initiate authorize endpoint

Use the CyberArkAuthProvider class, and the CyberArkAccountBuilder parameter to set up a view model and start the authorization endpoint. The start authorization endpoint flow pattern is as follows:

val authResponseHandler: LiveData<ResponseHandler<AuthCodeFlowModel>> =

Step 4: Declare the observer instance that will receive the authentication result

authResponseHandler.observe(this, {
          when (it.status) {
              ResponseStatus.SUCCESS -> {
// Save access token, refresh token and Id token in Shared Preference using keystore encryption
              ResponseStatus.ERROR -> {
              ResponseStatus.LOADING -> {

Step 5: Launch the authentication widget URL in a Custom Tab

The Identity Android SDK is enabled with the ability to open the CyberArk Identity sign-in web page to perform the user authentication in a browser window.

After authentication, the app redirects the user back to the app to exchange the received authorization code for an access token and/or refresh token.


Step 6: Use device storage for access, refresh, and ID tokens

Save the access token, refresh token, and ID token in device storage (SharedPreference) using Keystore encryption.

The Keystore encryption model is as follows:


Step 7: Verify token expiry from the access token

Decode the access token to get the expiry time of the token. The following code sample validates and returns the status of the existing access token.

val status = JWTUtils.isAccessTokenExpired(accessTokenData)

Step 8: Refresh the token

Use the refresh token to obtain a new access token.

val refreshTokenResponseHandler: LiveData<ResponseHandler<RefreshTokenModel>> =
    CyberArkAuthProvider.refreshToken(cyberArkAccountBuilder).start(this, refreshTokenData)

Refer to Refresh Token for details.

Step 9: Obtain User Info from the ID token

An ID token is an artifact that confirms that the user has been authenticated. An ID Token is a JWT Token, which is a cryptographically signed Base64-encoded JSON object. Here is an example of the decoded ID token

ID Token Payload:
"auth_time": <authentication_time>,
"is": "<issuer_identifier>",
"given_name": "<user_name>",
"iat": <ID_token_issued_time>,
"aud": "<audience_this_ID_token_is_intended_for>",
"name": "<user_name>",
"email": "<user_email_address>",
"family_name": "<user_name>",
"preferred_username": "<user_name>",
"unique_name": "<user_name>",
"exp": <ID_token_expiry_time>,
"sub": "<An_identifier_for_user>",

Step 10: Retrieve User Info using the Access token

Use the CyberArkAuthProvider class, and the CyberArkAccountBuilder parameter to set up a view model and start the retrieve user info flow. The retrieve user info flow pattern is as follows:

val authResponseHandler: LiveData<ResponseHandler<UserInfoModel>> =
        .start(this, accessTokenData)