@summers, to me the default option should be to store refresh token at “session” level
(i.e.: in memory storage). that way renewal of access token can be done transparently
without having to re-grant the app.
However if the developer choose permanent storage, we could propose encrypted storage
which required password. Obviously as @abstractj mentioned it, we have the trade-off of
password prompting which implies some constraints in workflow management.
Password should be used once to store the refresh tokens and used at each start up of the
app to retrieved refresh token from permanent storage to memory.
++
Corinne
On 05 May 2014, at 22:32, Summers Pittman <supittma(a)redhat.com> wrote:
On Mon 05 May 2014 03:15:45 PM EDT, Bruno Oliveira wrote:
>
> Hi Summers, I totally understand the need to store. Just don't know how
> the application will behave when token is required. Why?
I'll try to answer with an example and feel free to interrupt me if I
misunderstood you.
User Authorizes and all the appropriate tokens are stored in the
AuthzService
User schedules a pipe to download something in the future.
In the future Pipe.read fires, but the token is expired.
The Pipe's onFailure method is called with a (hopefully) useful
exception. The user can refresh the auth token and retry, fire up a
notification to say "User stuff went sidesways" or just crash (a
personal favorite of mine).
>
> Because you need to prompt for the password to decrypt. Btw I think it's
> not a priority right now, correct?
Right. Here is the relevant JIRA :
https://issues.jboss.org/browse/AGDROID-241?jql=project%20%3D%20AGDROID%2...
> And also, make sure that offline spec
> meet your needs, is important to avoid overlappings.
Yeah. The offline spec may be more useful for some parts of this.
>
> On 2014-05-05, Summers Pittman wrote:
>>
>> Corinne, Bruno, see reply inline.
>>
>> On 05/05/2014 12:40 PM, Bruno Oliveira wrote:
>>>
>>> Hi Corinne, answers inline
>>>
>>> On 2014-05-05, Corinne Krych wrote:
>>>>
>>>> On 05 May 2014, at 17:56, Bruno Oliveira <bruno(a)abstractj.org>
wrote:
>>>>
>>>>>
>>>>> On 2014-05-05, Summers Pittman wrote:
>>>>>>
>>>>>> On Mon 05 May 2014 08:36:59 AM EDT, Corinne Krych wrote:
>>>>>>>
>>>>>>> 3. I like AuthzSevice idea where we store the tokens for
easier
>>>>>>> automatic refresh. Most end-user app will ask for grant only
once so
>>>>>>> such a service that retieve and check validity of token is
needed;
>>>>>>> - But, what about making it configurable to leave the option
to
>>>>>>> store
>>>>>>> or not to store tokens?
>>>>>>
>>>>>> Seems like it is somewhat related to this :
>>>>>>
https://issues.jboss.org/browse/AGDROID-241
>>>>>>
>>>>>> Perhaps the jira should be to make storage configurable. If we
wanted
>>>>>> to explicitly NOT store then we could make a dummy Store which
just
>>>>>> routed everything to /dev/null.
>>>>>
>>>>> What's the real need behind store those tokens?
>>>>
>>>> It’s useful (more UX friendly I guess) to ask only once if you want
>>>> to grant access to this third party app. It’s a common pattern in
>>>> application like GoogleDrive.
>>>> I’ve seen app that stores those token in KeyChain
>>>
>>
>> What Corrine said. It is considered a bad experience to always ask for
>> authorization. Also this let's us have things stay in the background
>> without always have to reauthorize.
>>
>> Doubly also is that refresh tokens must be stored long term.
>>>
>>> I can be wrong, but to open the KeyChain or Keystore a password is
>>> required. How the workflow would look like? Or the plan is to set an
>>> empty password?
>>>
>>>>
>>>>>
>>>>> If is really necessary,
>>>>> that's ok, otherwise let's do not store it. Offline, OAuth2
tokens are
>>>>> useless.
>>>>>
>>>>> Or add an option to choose between store or not store like mentioned
>>>>> here.
>>>>
>>>> +1
>>>> Definitively have it optional
>>>
>>
>> I'm fine with optional. Though I think storing them should be the
>> default behavior.
>>>
>>>>
>>>>
>>>>>
>>>>>>
>>>>>>>
>>>>>>> - The storage for refresh token should be more secure either
>>>>>>> encrypted
>>>>>>> storage with ag-crypto or keychain/keystore. wdyt?
>>>>>>
>>>>>> See above
>>>>>
>>>>> Encryption won't fix this, worse, will add an extra level of
>>>>> complexity
>>>>> to the application. Let's think about it, what do we need for
>>>>> encryption?
>>>>>
>>>>> 1. Generate a private key
>>>>> 2. If it doesn't have a password is worthless (for local
storage)
>>>>> 3. Alright, is password based, let's encrypt everything now
>>>>> 4. Now at every inclusion of tokens, you prompt users for the
password
>>>>>
>>>>> They would remember your name forever sometimes attached to bad
names.
>>>>> IMO my suggestion is:
>>>>>
>>>>> 1. Leave it as is and never allow to store in any kind of external
>>>>> storage
>>>>> 2. Do not store (+1)
>>>>> 2. Cache and destroy it when the application is closed
>>>>> 4. Use encryption and make the whole application more complex
>>>>
>>>>
>>>> what about storing them in Keychain/Keystore?
>>>
>>> Please, see my question above.
>>
>> My idea for this was lean on the crypto APIs to prompt for a
>> password/passphrase when it is appropriate.
>>
>> Since the refresh token (and to a lesser extend the access token) can be
>> used to gain access to everything the app could it would be a nice
>> feature to keep it stored encrypted to keep it safe from pesky file
>> dumpers.
>>>
>>>
>>>
>>> --
>>>
>>> abstractj
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev(a)lists.jboss.org
>>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>> --
>> Summers Pittman
>>>
>>>>
>>>> Phone:404 941 4698
>>>> Java is my crack.
>>>
>>
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev(a)lists.jboss.org
>>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
> --
>
> abstractj
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev(a)lists.jboss.org
>
https://lists.jboss.org/mailman/listinfo/aerogear-dev
--
Summers Pittman
>> Phone:404 941 4698
>> Java is my crack.
_______________________________________________
aerogear-dev mailing list
aerogear-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/aerogear-dev