[aerogear-dev] Android OAuth2 PR
supittma at redhat.com
Mon May 5 09:01:00 EDT 2014
On Mon 05 May 2014 08:36:59 AM EDT, Corinne Krych wrote:
> Hello Summers
> First quick review, here are the feedback/questions:
> 1. add a cookbook recipe to help for demoing Android OAuth2. I've
> successfully tested it using @secondsun 's demo . It should be part
> of android-cookbook with some readme instructions on how to fill
> OAuth2 Google Drive config will help (See the one for iOS ). As
> we're using public OAuth client, no client secret is required we could
> used a pre-configured one like iOS and JS?
Probably true. I'll add a JIRA.
> 2. Android version is now definitively ahead of iOS one ;) as you’ve
> implemented refresh token but configuration is very alike for the
> naming etc… +1
> 3. I like AuthzSevice idea where we store the tokens for easier
> automatic refresh. Most end-user app will ask for grant only once so
> such a service that retieve and check validity of token is needed;
> - But, what about making it configurable to leave the option to store
> or not to store tokens?
Seems like it is somewhat related to this :
Perhaps the jira should be to make storage configurable. If we wanted
to explicitly NOT store then we could make a dummy Store which just
routed everything to /dev/null.
> - The storage for refresh token should be more secure either encrypted
> storage with ag-crypto or keychain/keystore. wdyt?
> 4. not sure about what is the purpose of AdditionalAuthorizationParams
> in AuthzConfig?
So the OAuth2 spec isn't implemented very well. As an example to get a
refresh token from google you have to pass the parameter "access_type"
with a value "offline". This is not part of the spec per se.
> 5. Obviously as you said more work need to be done for removing token,
> for iOs we have an epic AGIOS-188  for all Oauth2 work. Checking
> Android tickets, I was a bit surprised by AGDROID-244 and AGDROID-242,
> does it mean support for OAuth?
I would like it. After the PR is merged passos and I should have this
scheduled. I am sure these will not be a priority but it is a nice to have.
> Good work! Need to look into AGIOS-145 refresh token and (newly
> created) AGIOS-190 AuthzService to catch up with you guys.
>  https://github.com/secondsun/aerogear-android-oauth2-demo
>  https://issues.jboss.org/browse/AGIOS-188
> On 27 Apr 2014, at 08:55, Corinne Krych <corinnekrych at gmail.com> wrote:
>> Yep same here i'd love to review it an compare with iOS version. I'll
>> send feedback next week too.
>> On Friday, April 25, 2014, Bruno Oliveira <bruno at abstractj.org> wrote:
>> Hi Summers, not sure about the timing. But I would like to review on the
>> next week.
>> On 2014-04-24, Summers Pittman wrote:
>>> This PR is 1) big and 2) incomplete
>>> (https://issues.jboss.org/browse/AGDROID/component/12319553). However,
>>> it represents a certain set of functionality and I want to get
>>> feedback/cleanup/merge before I continue making it even bigger.
>>> I would be EXCITED if someone can review this monster. If it needs to
>>> be cut up and submitted piecemeal to make it more digestible I will also
>>> take feedback on how to do that.
>>> Summers Pittman
>>>>> Phone:404 941 4698
>>>>> Java is my crack.
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
>>Phone:404 941 4698
>>Java is my crack.
More information about the aerogear-dev