[aerogear-dev] OAuth2 and Account Management

Summers Pittman supittma at redhat.com
Thu May 29 11:05:59 EDT 2014

On 05/29/2014 01:18 AM, Corinne Krych wrote:
> Hello all
> It all started in that thread [1] talking about Android OAuth2 PR, but 
> the discussion shifted on account management and storage. I think 
> AccountManager deserves its own thread besides it's a cross client 
> topic (although implicit grant for pure web app is less a use case) so 
> title is not right. Let's fork the discussion.
> Main goal of AccountManager is to store all the social access tokens 
> per account. Here is the use case:
> Some application may have to deal with several OAuth2 providers. For 
> example in ios-cookbook, we have Shoot app which let you upload your 
> photos to Google Drive(should change that to Google+ eventually), 
> Facebook (and soon Instagram). When a user open Shoot for the first 
> time and want to share to facebook, he will be prompted for OAuth2 
> grant, same thing for Google grant. The second photo will not trigger 
> any grant as we've got the tokens. But if a user close the app and 
> reopen it, we need something to store them if we don't want to prompt 
> again => AccountManager.
> Encrypted or not encrypted?
> Obviously access token and even more refresh token are sensitive data. 
> Should we store them encrypted or in a secure storage like KeyChain or 
> KeyStore? If we go that path a password is required to encrypt or 
> access keychain, so we need an extra prompt for the user to enter 
> password. For example, we can chage Shoot to require a password at 
> first login to ancrypt/decrypt access token.
> I would leave this decision to the end-use rdeveloper of the app. I 
> would go for a configurable AccountManager, being able to take a store 
> as demo here [2].
> For now proposed API:
> As explained here [3], use same method signature authz: like for 
> AGAuthorizer. But when use on AccountManager it will create a 
> authzModule and add an account to store tokens.
> What's next?
> We need to be able to revoke tokens and remove account from account 
> manager.
> Thoughts?
> @summers : as you're the guy behind Account Manager, if you can have a 
> look to iOS PR [2] [3] I would love to hear about your thoughts
WRT #3 I think that this is a really neat was of solving some of my 
design concerns on the Android side.  Without getting too gory into the 
details, the AuthzModule is responsible for managing the lifecycle of 
the AccountManager/AccountService.  Having the Service/Manager be the 
factory class for AuthzModules is much more sane.
> ++
> Corinne
> [1] 
> http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Android-OAuth2-PR-td7576.html
> [2] 
> https://github.com/corinnekrych/aerogear-ios-cookbook-1/blob/AGIOS-190.account/Shoot/Shoot/AGShootViewController.m#L45
> [3] 
> https://github.com/corinnekrych/aerogear-ios-cookbook-1/blob/AGIOS-190.account/Shoot/Shoot.md#aerogear-account-manager
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev

Summers Pittman
>>Phone:404 941 4698
>>Java is my crack.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20140529/bc1209f7/attachment.html 

More information about the aerogear-dev mailing list