Hello all
It all started in that thread [1] talking about Android OAuth2 PR, but the discussion
shifted on account management and storage. I think AccountManager deserves its own thread
besides it’s a cross client topic (although implicit grant for pure web app is less a use
case) so title is not right. Let’s fork the discussion.
Main goal of AccountManager is to store all the social access tokens per account. Here is
the use case:
Some application may have to deal with several OAuth2 providers. For example in
ios-cookbook, we have Shoot app which let you upload your photos to Google Drive(should
change that to Google+ eventually), Facebook (and soon Instagram). When a user open Shoot
for the first time and want to share to facebook, he will be prompted for OAuth2 grant,
same thing for Google grant. The second photo will not trigger any grant as we’ve got the
tokens. But if a user close the app and reopen it, we need something to store them if we
don’t want to prompt again => AccountManager.
Encrypted or not encrypted?
Obviously access token and even more refresh token are sensitive data. Should we store
them encrypted or in a secure storage like KeyChain or KeyStore? If we go that path a
password is required to encrypt or access keychain, so we need an extra prompt for the
user to enter password. For example, we can chage Shoot to require a password at first
login to ancrypt/decrypt access token.
I would leave this decision to the end-use rdeveloper of the app. I would go for a
configurable AccountManager, being able to take a store as demo here [2].
For now proposed API:
As explained here [3], use same method signature authz: like for AGAuthorizer. But when
use on AccountManager it will create a authzModule and add an account to store tokens.
What’s next?
We need to be able to revoke tokens and remove account from account manager.
Thoughts?
@summers : as you’re the guy behind Account Manager, if you can have a look to iOS PR [2]
[3] I would love to hear about your thoughts
++
Corinne
[1]
http://aerogear-dev.1069024.n5.nabble.com/aerogear-dev-Android-OAuth2-PR-...
[2]
https://github.com/corinnekrych/aerogear-ios-cookbook-1/blob/AGIOS-190.ac...
[3]
https://github.com/corinnekrych/aerogear-ios-cookbook-1/blob/AGIOS-190.ac...