I have an android app which talks witha Node.js backend, via REST api. We use OAuth token received from Google for authorization, and we have agreed on the flow in which I use the token in HTTP request everytime I make a request.
So, which is the best practice to store the token ? -
a) Store the token in SharedPreference, and use the same SharedPrefrence in the activity that makes the network calls.
OR
b) Store it using a POJO, and use getters and setters to retrieve and clear the token.
I have just started off with network related mini projects in Android. And hence this could be a very basic question. Any help is really appreciated.
Thanks
How are you retrieving the token or doing Authorization?
If you are using GoogleAuthUtil or GoogleAccountCredential API's, the persistance of token is automatically managed by API's themselves.
You should not be required to do it manually.
See this question on which one to use:
Access to Google API - GoogleAccountCredential.usingOAuth2 vs GoogleAuthUtil.getToken()
Related
I want to use GAE datastore to store my data but instead of the java API we want to use the JSON API and making requests through spray.
But before I can even do any request I need to obtain an access token.
I can't figure out how this is done with either the Java API or any other means. Is there a way to obtain an access token which can then be used for the JSON API (through spray)?
Like many Google services, the Datastore API uses OAuth for authentication. The easiest way to use it is with one of the Google API client libraries.
Java: https://developers.google.com/api-client-library/java/
Java + Datastore: https://developers.google.com/api-client-library/java/apis/datastore/v1beta2
The documentation for the client does a pretty good job of explaining how OAuth works and how to get started calling APIs by registering your app with the Console.
(I'm not familiar with spray, but I assume you'd be able to use the Java client from Scala.)
I have created few rest services using jersey implementation.
In security concerns, service can invoke by any one. So I decided to use the token based authentication system.
I wrote one filter in spring security which handles every request before its hits the server.
One login service were created so user can invoke this service by passing the username and password for valid credentials it will generates the access token and expiry date and saves it in Hashmap and DB and returned as a response to the user.
For remaining services user have to pass the generated token in header to access the JAX-RS services.
All these process are coded by us i.e., generation,storage and expiration of the token.
Since we have some security API like oauth1,oauth2 in market is it good to provide the security for rest service by above mentioned way???
Is oauth api will suits my requirement . If it is please guide me how to achieve this ?
Please help me out with valuable suggestions ???
Thanks in advance.
We've been in a similiar position before starting with our rest api. The only difference we had no exisitng code. So basically we saw 2 choices
Run our own Tokenhandling, that what you already have
Use something existing, i.e. oauth2
Our main requirement was authentification via token and we prefered an existing solution. So we just run with oauth2 in form of spring-security-oauth2, even we are not using the whole self authorization stuff.
What i like and probably had missed in an own implementation is that a token generally identifies a user and a client combination and that clients can have rights too. Its nice to have this extra layer of security in our rest api, so i can block early on before even hitting one line of our code.
In form of spring-security-oauth2 its proven code, which works and like much of spring its customizable. Example: In our first version we did use the provided JdbcTokenstore for storing the token, but as requirements changed, we just coded our own and switched it in the config.
The disadvantage of using at least spring-security-oauth2 is that the whole authorization flow is normally webbased and needs communication between the client, the user and our app. As this would not work with our clients we had to trigger the token generation, etc ourselfs, which is doable with spring, but needed some code exploration :-)
If i had to build it again with java and where already using spring, i'd go with spring-security-oauth2 and the oauth way again. But when i had an existing working solution and dont need any of the oauth stuff i would keep the homegrown solution.
I'm using a Trade Me API. Which requires OAuth access tokens according application registered with it. So i have got OAuth access tokens. I have URL of API, all the parameters and values. But I don't understand how to get started. It is obvious that I need to use access tokens but don't understand where and how to use them. As we cant pass them into URL.
I'm using this API :
http://developer.trademe.co.nz/api-reference/my-trade-me-methods/retrieve-your-sold-items/
At the bottom of the API documentation page you provided in your question, there is a Request Builder. This allows you to generate an API request by filling in the form provided and clicking Send Request.
If you were to capture the HTTP requet generated by the browser when you submit this form using an application such as Fidler, you could determine the correct format for the request, and then generate similarly formatted requests from within your own application.
You might also want to check out the OAuth page of the Trade Me Developer API reference which explains how OAuth authentication should be performed for the Trade Me API
Sorry I can't be of more direct assistance, as I'm not a Java developer.
I'm a bit confused as to how to use Facebook's app access token with Spring Social.
I already have an app access token by making a GET request to:
http://graph.facebook.com/oauth/access_token?client_id=YOUR_APP_ID&client_secret=YOUR_APP_SECRET&grant_type=client_credentials
I can't use (for reasons I don't want to discuss here) the standard Spring Social connection creation flow and I want to use this token (if possible).
My question is generally directed toward the GraphApi.
So in general can I use an app access token acquired via a standard GET to make requests to the Graph Api through Spring Social ?
Thanks,
There are very few things that the app access token can be used for. Most of the operations in the Graph API are for fetching user data and therefore you MUST obtain a user access token. The app access token you have will not work.
If you're planning to use your app access token to fetch a user's profile, see their friends list, or post to their timeline (or anything that pertains to a user), then you're out of luck. Imagine the chaos that would ensue if all you had to do to read and post on behalf of a user is obtain an app access token! You must get the user's permission for that kind of thing.
There are 3 ways to get a user access token: Authorization code grant (which is what Spring Social's ConnectController does and is most appropriate for traditional web applications), implicit grant (which is more appropriate for client-side Javascript), and resource owner credentials grant (which is most appropriate for mobile or desktop applications where doing a browser redirect is awkward, difficult, or impossible).
The app access token you have is only intended to consume API endpoints that are application-centric and do not pertain to any given user. There are a few such operations in Facebook's API, but the only one that immediately comes to mind is that you can use an app token to create test users (see https://developers.facebook.com/docs/test_users/).
Just as most of Facebook's API is user-centric, likewise is Spring Social's Facebook API binding. If, however, there's an app-centric operation that you'd like to see added to Spring Social, I'd appreciate it if you'd let me know at https://jira.springsource.org/browse/SOCIALFB.
On my web app using Java EE 6. I want to expose some of my functionality as a Json Rest Service. I want to use authentication tokens for login, User will send their username, password and server will send back a token, which will be used to authorize the user on their further requests for a given time..
A few questions bothering me so far;
When the server creates the token and sends to client, should server save it in a DB OR in a Bean using something like a hashtable as userid-token pairs?
Can I get some help using any Java EE specific API or this has to be all custom code?
Heres my input:
I would save the token in DB, in case you need to restart the server you don't want to lose all your user's tokens. You could potentially save it in memory as well to speed up requests and only look it up in DB if it is not found in memory.
I would accept the token in the header. I would put the rest service on HTTPS so the request is encrypted and then you don't need to worry about encrypting the token manually in the request
I would probably look at JAX-RS and see what features it offers
I recently blogged on how to set up Role-based authorization in a JAX-RS REST API using both a simple session token approach and a more secure method of signing requests using the session token as a shared secret.
It boils down to:
Get a session token from the server along with some identifier for the user
Use the token to encrypt the information in the request
Also use a timestamp and nonce value to prevent MITM attacks
Never pass the session token back and forth except for when retrieving it initially
Have an expiry policy on session tokens
Saving the token in a bean or hash table would not be persistent. A DB would persist between executions.
If you are going to be using REST then you can either pass the authentication in the parameters to the method, or in the request header itself. Encryption is a different matter. I guess it depends on the scale of the system, and how open it is. If security is a top importance, then yes, you should find some form of encryption.
I have done similar things using the Spring Framework, and Spring Security. These things are relatively simple using this. To write custom code is to reinvent the wheel. There are many frameworks out there which will help you. However, you would then have the learning curve of the framework.