<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 05/29/2014 01:18 AM, Corinne Krych
wrote:<br>
</div>
<blockquote
cite="mid:CE1F1C3B-8EE6-47CE-815A-50A0026A8AAB@gmail.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
Hello all
<div><br>
</div>
<div>It all started in that thread [1] talking about Android
OAuth2 PR, but the discussion shifted on account management and
storage. I think AccountManager deserves its own thread besides
it’s a cross client topic (although implicit grant for pure web
app is less a use case) so title is not right. Let’s fork the
discussion.</div>
<div><br>
</div>
<div>Main goal of AccountManager is to store all the social access
tokens per account. Here is the use case:</div>
<div>Some application may have to deal with several OAuth2
providers. For example in ios-cookbook, we have Shoot app which
let you upload your photos to Google Drive(should change that to
Google+ eventually), Facebook (and soon Instagram). When a user
open Shoot for the first time and want to share to facebook, he
will be prompted for OAuth2 grant, same thing for Google grant.
The second photo will not trigger any grant as we’ve got the
tokens. But if a user close the app and reopen it, we need
something to store them if we don’t want to prompt again =>
AccountManager.</div>
<div><br>
</div>
<div>Encrypted or not encrypted?</div>
<div>Obviously access token and even more refresh token are
sensitive data. Should we store them encrypted or in a secure
storage like KeyChain or KeyStore? If we go that path a password
is required to encrypt or access keychain, so we need an extra
prompt for the user to enter password. For example, we can chage
Shoot to require a password at first login to ancrypt/decrypt
access token.</div>
<div>I would leave this decision to the end-use rdeveloper of the
app. I would go for a configurable AccountManager, being able to
take a store as demo here [2].</div>
<div><br>
</div>
<div>For now proposed API:</div>
<div>As explained here [3], use same method signature authz: like
for AGAuthorizer. But when use on AccountManager it will create
a authzModule and add an account to store tokens.</div>
<div><br>
</div>
<div>What’s next?</div>
<div>We need to be able to revoke tokens and remove account from
account manager.</div>
<div><br>
</div>
<div>Thoughts? </div>
<div>@summers : as you’re the guy behind Account Manager, if you
can have a look to iOS PR [2] [3] I would love to hear about
your thoughts</div>
</blockquote>
WRT #3 I think that this is a really neat was of solving some of my
design concerns on the Android side. Without getting too gory into
the details, the AuthzModule is responsible for managing the
lifecycle of the AccountManager/AccountService. Having the
Service/Manager be the factory class for AuthzModules is much more
sane.<br>
<blockquote
cite="mid:CE1F1C3B-8EE6-47CE-815A-50A0026A8AAB@gmail.com"
type="cite">
<div><br>
</div>
<div>++</div>
<div>Corinne</div>
<div>[1] <a moz-do-not-send="true"
href="http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Android-OAuth2-PR-td7576.html">http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Android-OAuth2-PR-td7576.html</a></div>
<div>[2] <a moz-do-not-send="true"
href="https://github.com/corinnekrych/aerogear-ios-cookbook-1/blob/AGIOS-190.account/Shoot/Shoot/AGShootViewController.m#L45">https://github.com/corinnekrych/aerogear-ios-cookbook-1/blob/AGIOS-190.account/Shoot/Shoot/AGShootViewController.m#L45</a></div>
<div>[3] <a moz-do-not-send="true"
href="https://github.com/corinnekrych/aerogear-ios-cookbook-1/blob/AGIOS-190.account/Shoot/Shoot.md#aerogear-account-manager">https://github.com/corinnekrych/aerogear-ios-cookbook-1/blob/AGIOS-190.account/Shoot/Shoot.md#aerogear-account-manager</a></div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
aerogear-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:aerogear-dev@lists.jboss.org">aerogear-dev@lists.jboss.org</a>
<a class="moz-txt-link-freetext" href="https://lists.jboss.org/mailman/listinfo/aerogear-dev">https://lists.jboss.org/mailman/listinfo/aerogear-dev</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Summers Pittman
>>Phone:404 941 4698
>>Java is my crack.
</pre>
</body>
</html>