I want to develop the Android client for my RESTFull Web service. But, I'm nearly newbie in Android and I don't know how to make correct authentication with REST service. How to save user details in android ?
This is a fairly complicated topic that is too broad to explain fully here. I highly recommend Retrofit for this. Here's a link to their site, http://square.github.io/retrofit/
I've also put together a sample project that gets images from imgur api using retrofit if you'd like to learn more about the implementation.
https://github.com/mmeister1203/SampleRetrofitApp
For authentication, I suggest you use Authentication token. It basically works this way:
You send user details to server(through https, of course).
You receive authentication token, which you save in, lets say, SharedPreferences.
Every time you make a web request, you include your token the request.
This is most common approach when you don't need extremely high security.
Related
So I learned the basics of android but I never understood this part.
I know when using websites, authentications are made along side sessions and cookies. But what about android?
When an authentication is made, a token is generated, right? where does this token belongs in android application world? is it stored in AccountManager ? should it be stored on SharedPreferences ? I also saw something called OAuth2 but didn't get what that is.
I'm sorry if my question is stupid but it is driving me nuts in a long time.
if you have a good tutorial for these kinds of web services, where they teach real world coding examples, please let me know.
Most modern Android apps use HTTP client to do backend calls, for instance Retrofit. I would suggest reading a bit about Retrofit and about how you can use this token
More about authentication token and Retrofit, here
As to where to save the token, in my current project I save the token in something similar to a static field. more info here
We have implemented a Backend Server and a DataBase, with RESTFUL API. We have an Android App that can ask the server to send certain data back.
We want to implement an authentication system on the Android App.
The team suggests that I use Spring and OAuth, but I personally have no experience with those, and am not exactly convinced about the necessity of this approach.
Other friends suggest using FireBase to authenticate the users.
Could I avoid using OAuth/FireBase and simply store in the Server's Database the user's account name and its corresponding hash-salted password, along with the salt? Every request sent from the client would contain the account's name (which could probably be a unique ID generated by the server on the very first request, and saved as a SharedPreference in the phone) and the password in clear. The transmission of the request being done via HTTPS protocol (thus using TLS/SSL), the password in clear would not be revealed.
What are the possible flaws to the suggested approach in the last paragraph? And if it is a flawed approach, considering we already are using Spring for the Server (Backend), should I go for FireBase or OAuth ?
Additional context:
Bare in mind that this is the very first largish-scale project that I have been working on (it counts as a 3-credits University course). We are 3 on the project. I'm studying Computer Science but I do not necessarily have a great grasp on all the systems we are using or plan on using.
We are creating an app which allows users to view on a map alerts published by certain databases (we are currently focusing on meteorological alerts) in real-time. We want to be able to implement a login system so that people can receive notifications despite the application being closed (we are allowing users to "subscribe" to areas on the map, to specify the regions they want to receive notifications for).
OAuth, or better OpenId Connect, is a protocol, while FireBase is just one of its' commerce implementations. It's always better to follow a standard where possible than to implement your own. To see the full list of the certified OIdcC implementations look at the OIdC site, and I see at least MITREid Connect project related to Spring. I think your custom solution will work for your custom case, but only until you think about any extensibility such as Google auth or accessing some 3-rd party API.
I am working in a app that register a user in a specific place.
I got the client_id and the client_secret and the url, also the token url.
i have seen how simple was to use the AFOAuth2Client in Iphone and i would like to know if there is an equivalent for Android.
Thanks in advance.
It's generally not a very good idea to store secrets on a device. If you control the entire stack: client, API and AuthZ server, then make sure you use a Oauth2 flow that doesn't require that. (Or reconsider using Oauth2 altogther perhaps).
The simplest Oauth2 flows are quite simple to implement as they are straight forward HTTP requests.
I'm trying to setup a private oauth2-server for usage with Android. I don't want any 3rd party-server to authorize, so my question is how to do this?
I had a look at Apache Oltu, but I haven't been able to find any HowTo to setup the server. Are there any instructions available or could someone who already did this help me?
Furthermore, is there a better solution? I don't want to just provide user/pwd-authorization (or even digest), because it's about getting an user-specific file, which should be automatically synced once in a while without asking for a password again.
The Apache Oltu documentation contains some example code, which should help you understanding the basics. Then you should have a look at the integration tests, which contain code for nearly all use cases.
But you have to understand that Apache Oltu isn't a standalone solution. It's only a framework, which handles the network communication for OAuth authorization and resource requests. That means, you have to implement
your own persistence layer for storing tokens.
your own security interceptor which actually checks if the received token is valid. Oltu isn't integrated into the webserver, so you have to take care that requests don't bypass OAuth authorization.
your own user registration process.
I'm currently designing a service that will be half web app, half android app. Each user will need to be able to log in from either the android app or the web app, using an openID account. I'm hoping to target Google first for easiest integration with Android, but I'll also need some OAuth stuff later so that I can integrate with Google contacts.
The bit I'm having trouble with is how to authenticate users. The structure I've planned is that the server (probably using web.py, although that's flexible right now) serves data for the client in JSON, whether the client is the javascript browser client or the android client. However, each call needs to make sure the client is allowed access to that data.
What would be the easiest way to standardise this across the platforms?
Should I be using a session system to authenticate after logging in? Can that be made to work from an Android app? Otherwise, should I simply authenticate with google for every request?
When authenticating from the app, where should the authentication happen, through the server or straight from the app? Where should the auth token be stored in this case? (I'm assuming for a straight webapp the token should just be stored in a table in the user database?)
Sorry for the barrage of questions, but I haven't really found any resources online that clarify these issues very well.
As long as you are using HTTP, the platform doesn't matter. You can use the same form of authentication and/or sessions. The only difference would be that on Andorid you might be able to get an authentication token using the platform's AccountManager, without having to type the username and password in Google's login page.
There's a subtle difference between Authorization (OAuth) and Authentication (OpenId). Make sure you know what you are doing.