I'm developing an Android app and I'm a little confused regarding token and refresh token.
Basically now, after user login with mobile number and a code sent by SMS, the authentication server returns an access token that will be used for accessing to all apis. For the authentication server, I've used Laravel with jwt-auth library.
When the access token will expired I will ask a new one using the credential of user stored in the AccountManager.
Is it the correct way to implement this authentication?
Or I'm missing the refresh token, which I ask a new access token when this expired?
Thanks in advance,
Daniele
I think it's better to use both token and refresh token, so you don't always have to send your credentials when your access token is expired. Moreover it's not safe to store users credentials on a client device, you should store this informations on your server and ask the user to type it when needed.
Here how I implement the token/refresh token process :
1 : You send your credentials to your authentification server ( it will send you back an access token (I use the JSON web token type wich is not stored in database) and a refresh token ( that is stored in the database).
2 : When you make a request to your server you check if the access token is expired, if it is so, you make a request to your authentification server with the refresh token in paramter in order to have a new access token ( depending on the configuration of your server it could give you back whether a new access token , or a new pair of access token and refresh token which I prefer ).
3: If the refresh token is expired you make a request with your credentials to have a new pair of tokens.
Related
I have an app that is currently using email and password for account authentication. Whenever the user logs in using email and password, the backend creates a JWT session token and returns it to the app.
This works well. Now, I am trying to integrate Google One-tap sign-in[OAuth] and I want to keep my existing login system too.
I am not able to figure out how to manage the session/authentication for the user in the database. My existing user table has:
Name, email, password, ...
In the case of OAuth, I will only get the email and token. Once I validate the token then I will have no password to save. So, is it alright to just save OAuth unique id for the user in an external_unique_id column and do nothing with the password (as in leave it blank)?
Kindly, help me with understanding how to manage this sort of system.
Especially, how to handle the flow when the user tries to sign in the second time when the external_unique_id is already existing.
Should I compare the unique id received from the OAuth provided with the external_unique_id?
Thank you!
I dont know if its the best approach but you can create a new column in your user table that tells you what login method user used (in this case, google or api).
You dont really need google unique id, you just need to know the authentication was successful to generate a new token or not.
On the first authentication you need to create a new user based on google payload. In the next ones, just get the user on database using his email and do whatever you need to.
We have serveral method to make authentication,
Authorization Server generate token and auth tokens:
Client need to get token from server by inputing credential, the server send back a token. Each time, application need to connect auth server to make authentication
Authorization server share database with other application
Once the user get token from auth. server. He can use it in other resource server. This resource server directly fetch tokens from database and make authentication by itself.
Use JWT to authorize.
Client get generated Jwt token from auth. server. Auth server may share public key to other resource server. The resource server can use public key to decode content. Since only authorization server has private key, only auth.server can generate correct jwt content
In my opinion, you need to create a new user in your database.
What strategy should I follow if I need to remember login in a mobile client if the company policy restricts me from storing password in the mobile client.
Time limited token.
You have multiple options:
1. After successful login create time limited token on server and send it to client. Don't forget to generate new token often enough, to prevent it's expiration (ideally on every request)
2. After successful login share secret key, used to generate token between client and server (ideally newly generated secret). Then you can use this secret on client to generate token when needed.
In any case, every client request should contain token + some signature for ensuring that request hasn't change by third party.
You can store user_id and other user data in sharedPrefrences or database when the user logs in and clear data when the user logs out.
When the app starts you can check if data is already stored for that user then redirect to the main screen otherwise redirect to the login screen.
You can save auth token when user log into app. Then use this token with your requests to backend, if you get 401 http error (not authorized) this means your token is invalid or expired and you should logout user.
I am trying to use Oauth2 system for Android development, but I cannot understand what I have to do if refresh token will be expired.
Should I show the login form if the refresh token is outdated, if so at what point do I need to check on a token expired?
UPDATE:
My actions:
server config: refresh token lifetime 14 days
1.First I try to make a request to the server but the server returns that the access token is expired
2.Then I try to update access token using the refresh token but the server also returns that refresh token is expired
3.Not having received the token, I ask the user to log in again
Is it right?
Library I use link
Please help me understand after refresh token expired actions.
Yes you're right ! When your access token and refresh token are expired the only way to get a new token pair is to ask the user for its credentials (you can prompt the user in a login form).
The strategy I use to avoid asking the user for its credetial many time, is to send a new refresh token every time I need to renew the access token.
So when I ask for a new access token my Oauth2 server sends me a new access token and a new refresh token (and the new refresh token expiration date is consequently later]
Phindmarsh from github helped me to find the answer to this question.
Link to the answer
I am trying to authenticate my app with the server using token.
when I login to my system, server sends the token and I store it in current Session/ Application instance.
Later I need to pass that token on each request along with the other data.
Could anyone please provide me a way of sending the token to server? Do I need to do anything for security for eg. encryption etc. ?
Pass your token in as Auth Header in your request header
for example
request.put("Auth","token_here");
I'm trying to authenticate a HTTP request using a token sent by an Android application, but I have no idea how to do this.
To get this token I must to send an user a password, to my ruby application that returns the token, but I want to know how to verify all requests from my android application using this token.
I know the "before_filter" on ruby, but I think that it could have problems with my first authentication, because I have to login with the user and password just once, but every time with the token.
If you can indicate any links or some pieces of code ...
Thanks in advance.
After successful log-in you should save Token in Constants and should send this token with each HTTP request.Server will verify user with access token and return result.