stackoom
  简体   繁体   中英

How to authenticate requests for an android app

 原文  2013-12-18 16:51:24       java/ android/ rest/ retrofit

Question

I am making an Android app which will fetch data from my API.

First thing my app will do is to let users signin using their credentials.

  • My question is does my API need to handle sessions? or should I authenticate the user for every request?
  • Will the native android app hold the user credentials on the device and send them along for every request after signing in?
  • I am using Retrofit . How would I send user credentials after they have signed in?

1 answers

solution1
 -1  2013-12-19 09:06:07

This will be a good time to take a deep dive and read into OAuth. Your use case seems to match perfectly. There are 2 main steps you will need: Authentication and Authorization. I have briefly explained them here: Authentication of a resource in Dropwizard . You can ignore the DropWizard part, the REST concept remains the same. The short version of the description could be like this: A user installs your app on the phone. They authenticate ONCE using their username and password (POST request to your REST over SSL). Your service authenticates the user and return back with a "refresh_token" and an "access_token" which the app saves on its side while you map and save the access_token/refresh_token on service side with the user. With every subsequent request your app is going ot send the "access_token" as a part of "Authentication" header which you, on the serverside, will parse and check if the access_token is still alive (assuming that access_token expires) and if it is alive, then complete the authorization/authentication process. If by any chance, the access token has expired, 401 will be returned back to your app. The app will have to then use "refresh_token" to get a new access_token and once approved with a new access_token (which again ofcourse is mapped on server side to the user's identity) all the subsequent calls will use the new access_token, till the time it expires. This is a simplistic version of OAuth and does not follow the specs to the letter. It's a very basic authentication/authorization flow to get you started. I hope this helps!

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to authenticate against Spring Security from Android app? How to authenticate users on server using facebook on android app In android, how to protect sensitive data or how to authenticate requests when developing a sdk How to Authenticate at Google App Engine Android app how to detect which component doing web requests? How to authenticate a user over network in Android App without replicating data on Local Device? How to use API keys to Authenticate Requests From an API How to authenticate users in Java(REST) app? How to authenticate and authorize an Android application with Apache Shiro How to authenticate user ? (Android/Java/Symfony)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM