Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

sharing auth token between android apps

Tags:

android

I have a requirement to share a common presistent login (auth token) between 2 or more android apps. The trick is that either app need no be installed for the other to work. They are independent of each other.

So before an app logs in it asks the question "is there possibly another friendly app out there that can give me (or has stored somewhere) a token that I can use?"

Obviously there are various ways (and issues) that I can use to approach this:

  • using a shared service (requires secondary installation, which app installs it?)
  • using a shared content provider (requires secondary installation, which app installs it?)
  • using a file on the system (if the file exists / may not be accessible on every device)
  • using shared preferences (i believe that on some android version global shared prefs are not possible)
  • using an ordered broadcast (to wake up another possible app and ask it)

What do the stackoverflow folks think is the best approach that is simple but also robust?

like image 255
Rob McFeely Avatar asked Aug 07 '15 15:08

Rob McFeely


People also ask

How can I share data between two apps on Android?

Android uses the action ACTION_SEND to send data from one activity to another, even across process boundaries. You need to specify the data and its type. The system automatically identifies the compatible activities that can receive the data and displays them to the user.

Where are Android access tokens stored?

Show activity on this post. I have a web application which stores its accesstoken in localstorage. It also has an android application which is basically a webview wrapper of the web application. In this case, the local storage will be saved to apps data folder, say /data/data/com.

What is auth token in android?

OAuth2 provides a single value, called an auth token, that represents both the user's identity and the application's authorization to act on the user's behalf.


1 Answers

You can start by writing an account authenticator. The canonical text on Android authenticator development is http://blog.udinic.com/2013/04/24/write-your-own-android-authenticator/

I wrote an authenticator for my app based on this article. However, what I haven't tried is having two apps with authenticators that register for the same account type. I think it should be possible to have the authenticator code in both apps. When the app asks for an authenticator for your account type with both apps installed, it shouldn't matter which authenticator it uses because they both do the same thing.

You could also have the authenticator in a separate library, but now you have three apps.


EDIT:

Here's how I integrated the authenticator into my app, within a LoginActivity:

  1. Check preferences for the last logged-in username.
  2. If there is no username, call AccountManager.newChooseAccountIntent() with my authenticator's account type.
  3. If there is a username, call AccountManager.getAccountsByType() with the account type, look through the accounts for that username, then call accountManager.getPassword(account) with that user's account.
  4. Now I have the username and password, so I can do the login. When the user is successfully logged in, the username can be stored in preferences for subsequent auto-login.

My authenticator activity has a UI flow for "Add Existing Account to Device". In this case, the user already has subscribed to our service. They enter a username and password, and if they are authenticated on the server, an account is added to the device for that username.

There is also a "Register For New Account" UI flow where the user enters all the registration information and creates a 30-day free trial account. In this process, the user is already authenticated, since the password is entered as part of this process.

This means that when the user chooses Add Account from the Account Chooser, the user is authenticated, while choosing an existing account just returns with the account from the device without authenticating. One of the drawbacks of the AccountManager Account Chooser is that there is no way to put a flag in the return intent to say what actually happened, so when the Account Chooser activity finishes, you have to go through some hopscotch to see if an authentication occurred or not. I chose a safe & conservative route by just doing the authentication every time, which means I am duplicating server authentication on account additions.

There are a bunch of corner cases you have to think about too, such as:

  • What if the user's login is valid, but their subscription has expired, which means they need to be sent to the e-commerce module to renew their service
  • What if the user has changed the password on the server from the web app, so now the password is out of sync with the device.
like image 124
kris larson Avatar answered Sep 29 '22 15:09

kris larson