[aerogear-dev] Android OAuth2 PR

Summers Pittman supittma at redhat.com
Mon May 5 09:01:00 EDT 2014


On Mon 05 May 2014 08:36:59 AM EDT, Corinne Krych wrote:
>
> Hello Summers
>
> First quick review, here are the feedback/questions:
>
> 1. add a cookbook recipe to help for demoing Android OAuth2. I've 
> successfully tested it using @secondsun 's demo [1]. It should be part 
> of android-cookbook with some readme instructions on how to fill 
> OAuth2 Google Drive config will help (See the one for iOS [2]). As 
> we're using public OAuth client, no client secret is required we could 
> used a pre-configured one like iOS and JS?
Probably true.  I'll add a JIRA.
https://issues.jboss.org/browse/AGDROID-248 (Docs)
https://issues.jboss.org/browse/AGDROID-249 (App)
>
> 2. Android version is now definitively ahead of iOS one ;) as you’ve 
> implemented refresh token but configuration is very alike for the 
> naming etc… +1
>
> 3. I like AuthzSevice idea where we store the tokens for easier 
> automatic refresh. Most end-user app will ask for grant only once so 
> such a service that retieve and check validity of token is needed;
> - But, what about making it configurable to leave the option to store 
> or not to store tokens?
Seems like it is somewhat related to this : 
https://issues.jboss.org/browse/AGDROID-241

Perhaps the jira should be to make storage configurable.  If we wanted 
to explicitly NOT store then we could make a dummy Store which just 
routed everything to /dev/null.
> - The storage for refresh token should be more secure either encrypted 
> storage with ag-crypto or keychain/keystore. wdyt?
See above
>
> 4. not sure about what is the purpose of AdditionalAuthorizationParams 
> in AuthzConfig?
So the OAuth2 spec isn't implemented very well.  As an example to get a 
refresh token from google you have to pass the parameter "access_type" 
with a value "offline".  This is not part of the spec per se.
>
> 5. Obviously as you said more work need to be done for removing token, 
> Authorizer..
> for iOs we have an epic AGIOS-188 [3] for all Oauth2 work. Checking 
> Android tickets, I was a bit surprised by AGDROID-244 and AGDROID-242, 
> does it mean support for OAuth?
I would like it.  After the PR is merged passos and I should have this 
scheduled.  I am sure these will not be a priority but it is a nice to have.
>
> Good work! Need to look into AGIOS-145 refresh token and (newly 
> created) AGIOS-190 AuthzService to catch up with you guys.
>
> ++
> Corinne
>
> [1] https://github.com/secondsun/aerogear-android-oauth2-demo
> [2] 
> https://github.com/aerogear/aerogear-ios-cookbook/blob/master/GoogleDrive/GoogleDrive.md#google-setup-optional
> [3] https://issues.jboss.org/browse/AGIOS-188
>
> On 27 Apr 2014, at 08:55, Corinne Krych <corinnekrych at gmail.com> wrote:
>
>>
>> Yep same here i'd love to review it an compare with iOS version. I'll 
>> send feedback next week too.
>> ++
>> Corinne
>>
>> On Friday, April 25, 2014, Bruno Oliveira <bruno at abstractj.org> wrote:
>> Hi Summers, not sure about the timing. But I would like to review on the
>> next week.
>>
>> On 2014-04-24, Summers Pittman wrote:
>>>
>>>
>>> https://github.com/aerogear/aerogear-android/pull/146
>>>
>>> This PR is 1) big and 2) incomplete
>>> (https://issues.jboss.org/browse/AGDROID/component/12319553). However,
>>> it represents a certain set of functionality and I want to get
>>> feedback/cleanup/merge before I continue making it even bigger.
>>>
>>> I would be EXCITED if someone can review this monster. If it needs to
>>> be cut up and submitted piecemeal to make it more digestible I will also
>>> take feedback on how to do that.
>>>
>>> Summers
>>>
>>> --
>>> Summers Pittman
>>>>
>>>>>
>>>>> Phone:404 941 4698
>>>>> Java is my crack.
>>>>
>>>
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>> --
>>
>> abstractj
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
>
>
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev



-- 
Summers Pittman
>>Phone:404 941 4698
>>Java is my crack.



More information about the aerogear-dev mailing list