I am trying to use the Android account manager for creating my app's own account, so I have studied the example provided in the SDK.
However, I have a little problem understanding how I have to manage the authentication token on the server.
From what I understood when studying the example and reading some tutorials is that the user will have to provide his login and password when he will first log in. Then the account manager will ask my server for a token associated to the user credentials. This token will be stored as the password in the account on the Android device (so the real password is never stored on the device).
Because the tokens expire regularly, I understand that my server has to be able to generate a new token with a login and an expired token. Is that correct? How can I generate a new token from an old one?
Moreover, what should be the structure of the token? How do I generate it? Has the expire time to be stored in the token itself or on my server?
EDIT: If someone has a simple working example to show me, it would help me very much.
Also, if you have other information than the answer below, please post it, as Amokrane Chentir's answer did not help me.
Indeed, calling AccountManager#getAuthToken() results in calling the method getAuthToken() I have to implement in my AbstractAccountAuthenticator's subclass.
EDIT2: I'm still interested by a solution to this problem, 5 months later :)
You can call the method AccountManager#invalidateAuthToken to request a new Auth Token. Also, you don't need to generate an Auth Token yourself, you have to use AccountManager#getAuthToken.
Related
I’m implementing a Android app and that must contain a user login. To do this I create my own authenticator with the purpose of login only once. Then AccountManager can request access tokens, so the application is not handling passwords directly. The AccountManager stores the user account and the token.
I’m using JWT (Json Web Token) to authenticate the user in my REST API.
I wonder whether this flow is correct or there is a better approach to do this in Android.
Here is the flow I am currently using:
The user enter user and passwords in the login screen at first time.
I make a request to server to retrieve a valid token (JWT) that is stored in the Account Manager.
Subsequent requests use the received access token until it is expires (1 hour) to retrieve content from the API.
After the token is expired, it can be refreshed up to two weeks after issue time. From this moment, user credentials are needed to retrieve a new token.
Is this process the correct way to work with the token, and refreshing it? Is the process safe? Are there other options?
Considering this flow is not using a “refresh token” to generate a new one but the access token, what would be the best usage of the Android Account Manager? What other tools should I use? Is it recommended an Oauth2 implementation along JWT in order to implement a “refresh token”?
Cheers!
I can tell, you are on the right road of using JSON Web Tokens and reproducing it.
but the safety you mentioned is all about encrypting the token you retrieved and then saving it in Account Manager (also the same with user credentials) with some encryption method of your choice like AES or RSA and then decrypt if when you wish to use. Also using a server-generated secret key with a secret algorithm would kill the shot for any hacker.
As you understand everyone with a root access can get hands on the saved credentials database and use it.
Using these tricks will lower the need of using Oauth 2.0 which involves a refresh token.
hope it helps
I'm trying to build an app using Google Cloud Messaging.
I used the google gcm samples, with almost no modifications, and so far, I can send message between my client app and my personnal little php server. (no code problem here)
In samples, google let a sendRegistrationToServer() method (click here) for me to write when InstanceId is set, but I don't find any clue on the net about how to manage such things.
How should my database look like to handle users and tokens ?
(if someone could provide a little database structure example, it would make my day !)
Since tokens register an app or a phone and users a user (which imply a registration activity to get username and password, and I haven't made it yet), I kind of don't want to mix them in the same table,
but I might have misconceptions about the purpose of token.
For instance, I wonder why nobody seem to save the token in SharedPreferences...
EDIT : now I get the whole process :
Registration Activity --> Register your user
Send email adress and secured password to your server
Connection Activity --> Connect your user
Get a gcm_token and send it to your server and then map it with connection informations
This seems so simple and clear right now, but really didn't back then, so maybe it could help someone else...
The token may change so it is not useful to store it in shared preferences its better to call InstanceID.getToken so you are sure you always get the correct token value. The important thing is to know whether or not you have sent the latest token to your application server, this boolean should be stored in shared preferences.
You should have a class that extends InstanceIDListenerService in which you implement onTokenRefresh to handle new tokens.
You should map your app-generated user IDs to tokens, note that a single user may have many valid tokens associated with them. You don't have to store the tokens with your user's username's and passwords but there should be some mapping of user IDs to tokens.
Eg:
User (uid, uname, pword)
Token (uid, token_value)
A gcm should be associated with a user object.
Once a user gets his gcm token, its a user token and not device token as you might think.
For a simple database integration within your app i suggest you to use Parse.com and their android guide for getting started.
The token is getting authorized each time you open the app, and it might change along time - thats why nobody saves it and reusing the same token evreytime
I am getting into Android development for the first time and am having a blast, of course. I do have a question, though, about the general approach to authentication (for dealing with a backend).
To begin, here is, in a nut shell, what I have worked out.
Using google's documentation (link), I authenticate the user using the google sign in api. I have put the logic mentioned in the reference in my app's main activity. After the onConnected method fires, I have a successfully connected GoogleApiClient.
With the now connected GoogleApiClient, I use a call to GoogleAuthUtil.getToken to get an oath2 token that I use to authenticate requests to my backend. Basically, any time I make an HTTP request to my backend, I include this token as a header. My backend reads this token and uses the Python API google provides for verifying this token. In the backend, I use the email that is embedded in the (now parsed) token to make sure the user to whom that oauth2 token was issued is, in fact, a user of my system.
Now, here are the questions. First, does this sound like a reasonable approach to authentication on the Android platform? What might I be missing? What could go wrong?
The second question is a bit more direct. When I get the oauth2 token from the client app, I store it and use the same token each time an HTTP request to a secured resource is made. Eventually, of course, the token will expire. From some limited testing using the Android emulator, it seems that if I shut down the application and restart it, I am getting the same, expired token back using the GoogleAuthUtil.getToken, rather than getting a fresh token with a new expiration in the future. In my tests, I have had to restart the emulator in order to get a token with a correct expiry. Am I mistaken here? Is there something special I need to do to tell the Google API to issue me a new token? Do I need to disconnect the GoogleApiClient and reconnect it? I hope to avoid doing this in order to limit the number of activities that need to carry the callbacks required to complete this process.
Any words of wisdom here will be greatly appreciated!
after you have got your token you can use Validate Token, and if it responses with an error: 'invalid_token', you can use GoogleAuth.clearToken(Context context, String token) to clear the token and get a new token with the method you are using to get auth token.
I have android app comunicating with api on remote server. I want to make user authentication via google account. I know there's many pages/questions about this topic, but I kind of couldn't figured out which method I need to use.
What I want is, when user registers with his google account, his account will be authenticated and then I want Google to generate some auth token, which is specific for the app and users account. This token should never change, because it should be used on api server to authenticate user.
Do I need to link my app somehow to Google AppEngine or is there any simple solution which I'm not seeing? Or is this method of authenticating completly wrong?
You might be a bit wrong. Cause No one (Not even the Google apps on android) ever get a non expiring token. You Need to save the refresh token and the current token. and after every hour you need to refresh the token using refresh token. And you are good to go (If I have understood your question :P). I would suggest if you already own a server better host the back-end there else GAE works just fine. I hope it helps :)
I read almost everything I could find about C2DM but what I couldn't understand is the auth token which the server needs in order to send a message.
Do I need to pass the server the password of the user in order for him to get the token?
Or am I missing something?
I don't want to ask the user to enter their password (if it's needed than it's pretty easy to do a phising app).
If I do need to send a token is there a way to get it with the accountmanager api?
Thanks.
After some consideration, is it possible I got confused and the auth token is really my gmail account(the developer)?
Take a look at JumpNote example project: http://code.google.com/p/jumpnote/
It has both the client and server side code you can rummage through.
As for the auth token, JumpNote project has helper shell script to get one: http://code.google.com/p/jumpnote/source/browse/trunk/scripts/get_auth_token.sh
This script will ask you for your Google Account credentials, and will retrieve an auth token that you can use for, I don't know, some time.