I am building a REST based api for my Android app. I use access tokens and basic header authentication currently. Any suggestions to improve the authentication process?
I suggest to use the OAuth protocol to manage API authentication. You can read more about this protocol here: http://oauth.net/.
+1 ezimuel - "OAuth" is an excellent suggestion.
However, I was surprised to see the link Getting Started with the Tasks API and OAuth 2.0 on Android was deprecated.
Please check out these links:
Google Play Authorization: http://developer.android.com/google/play-services/auth.html (also uses OAuth 2.0)
Authenticating to OAuth 2.0 Services: http://developer.android.com/training/id-auth/authenticate.html
OAuth and REST in Android (1): http://simpleprogrammer.com/2011/05/25/oauth-and-rest-in-android-part-1/
OAuth and REST in Android (2): http://simpleprogrammer.com/2011/06/04/oauth-and-rest-in-android-part-2/
Related
I am developing an android app where I need to consume Google Cloud Platform REST API. This API is not supported for google android library and I have to call using REST. API needs oauth 2.0 access token for authorization. How can I achieve this on android side?
I believe the following link will help you in achieving the desired:
https://developers.google.com/identity/sign-in/android/start-integrating
I got this link and using library compile 'com.google.apis:google-api-services-oauth2:v1-rev136-1.23.0' I can get oauth2.0 access token for google service account.
I'm creating an Android application for my employee that will require the sales people to login using Okta authentication (I plan on using their authentication api). My question is on how to secure the WEB API my code will be calling from the android app. Should I use Okta's OAuth implementation to do this?
What I was thinking was if I use Okta's authentication (to have them login), I can also call the OAuth API to retrieve a token and then an access token. I could then lock down the API by checking the access token I received from Okta.
Do you think this is the best way to do this using Okta?
Thanks!
08/18/2016 update: we now have a Xamarin code sample available at https://github.com/raphaellondner-okta/okta-oauth-xamarin-android-customtabs
As of 08/18/2016, you will need a slightly modified version of IdentityModel.OidcClient (https://github.com/raphaellondner-okta/IdentityModel.OidcClient/tree/rl-pkce-secretless) to make it work with Okta and PKCE. Hopefully these proposed changes will make it to the master branch soon.
Original answer:
I suggest you take a look at our OAuth Android sample available at https://github.com/oktadeveloper/okta-openidconnect-appauth-sample-android (we leverage AppAuth to achieve both the authentication with Okta and the authorization using OAuth and our OAuth features).
We do not yet have a Xamarin sample available yet, but the general idea is to leverage the OAuth authorization code flow using an embedded browser to call the Okta /authorize endpoint, grab the code that's returned from Okta in the browser response url (as a fragment) and pass it on to your mobile app to exchange the code for an access token.
Our OAuth features are still in beta so if need access to them, please contact us at developers at okta dot com.
I have my own oAuth 2.0 authorization server and resource (API) server. The client will be Android apps. I'm looking for a scribe sample that works against a custom oAuth provider. Is scribe the best option available for doing oAuth from Android client apps?
I think you will find your answer in another stackoverflow response:
Android & OAUTH 2.0
Scribe requires various end points that people don't normally use. If you have the end points configured then yes Scribe is the best.
I want to integrate Twitter with my Android application. Can I do this using OAuth 2.0?
I have searched the internet but couldn't find any good explanation regarding this. If anyone has done this before, can you please guide me through this. I saw in a old post here that Twitter doesn't support OAuth 2.0.
Basically, no, Twitter still uses OAuth 1.0a for most parts of their backend. Since march however, they support the OAuth 2 client credentials flow for application-only authentication.
This means, if you:
have an application that only shows tweets from other users or stuff like that, you can get authorized using OAuth 2.
want any users to use your app to post tweets or do anything else on a user's behalf, you have to struggle with OAuth 1.0a.
You should check out the Twitter4J library, which abstracts most of the OAuth 1 hassle away from you.
This might be of interest:
"... we're releasing our application-only authentication scheme, based
on the OAuth 2.0 client credentials flow."
Posted to dev.twitter 2013-03-11 https://dev.twitter.com/blog/application-only-authentication (current: https://blog.twitter.com/developer/en_us/a/2013/application-only-authentication.html)
I wrote a test application for Android accessing Google Tasks with Client Libraries.
In Google Task's Developer's guide only Oauth 2.0 authorization method is mentioned.
Does anybody know how to Authorize with ClientLogin method using client libraries?
You will want to visit the "Getting Started with the Tasks API and OAuth 2.0 on Android" article. It offers a step-by-step guide for obtaining an OAuth 2.0 access token from the Android AccountManager, and making a request to the Google Tasks API.
https://developers.google.com/google-apps/tasks/oauth-and-tasks-on-android