[aerogear-dev] Android OAuth2 PR
Corinne Krych
corinnekrych at gmail.com
Mon May 5 12:10:54 EDT 2014
On 05 May 2014, at 17:56, Bruno Oliveira <bruno at abstractj.org> wrote:
> On 2014-05-05, Summers Pittman wrote:
>> On Mon 05 May 2014 08:36:59 AM EDT, Corinne Krych wrote:
>>>
>>> 2. Android version is now definitively ahead of iOS one ;) as you’ve
>>> implemented refresh token but configuration is very alike for the
>>> naming etc… +1
>>>
>>> 3. I like AuthzSevice idea where we store the tokens for easier
>>> automatic refresh. Most end-user app will ask for grant only once so
>>> such a service that retieve and check validity of token is needed;
>>> - But, what about making it configurable to leave the option to store
>>> or not to store tokens?
>> Seems like it is somewhat related to this :
>> https://issues.jboss.org/browse/AGDROID-241
>>
>> Perhaps the jira should be to make storage configurable. If we wanted
>> to explicitly NOT store then we could make a dummy Store which just
>> routed everything to /dev/null.
>
> What's the real need behind store those tokens?
It’s useful (more UX friendly I guess) to ask only once if you want to grant access to this third party app. It’s a common pattern in application like GoogleDrive.
I’ve seen app that stores those token in KeyChain
> If is really necessary,
> that's ok, otherwise let's do not store it. Offline, OAuth2 tokens are
> useless.
>
> Or add an option to choose between store or not store like mentioned
> here.
+1
Definitively have it optional
>
>>> - The storage for refresh token should be more secure either encrypted
>>> storage with ag-crypto or keychain/keystore. wdyt?
>> See above
>
> Encryption won't fix this, worse, will add an extra level of complexity
> to the application. Let's think about it, what do we need for
> encryption?
>
> 1. Generate a private key
> 2. If it doesn't have a password is worthless (for local storage)
> 3. Alright, is password based, let's encrypt everything now
> 4. Now at every inclusion of tokens, you prompt users for the password
>
> They would remember your name forever sometimes attached to bad names.
> IMO my suggestion is:
>
> 1. Leave it as is and never allow to store in any kind of external storage
> 2. Do not store (+1)
> 2. Cache and destroy it when the application is closed
> 4. Use encryption and make the whole application more complex
what about storing them in Keychain/Keystore?
>
>>>
>>> 4. not sure about what is the purpose of AdditionalAuthorizationParams
>>> in AuthzConfig?
>> So the OAuth2 spec isn't implemented very well. As an example to get a
>> refresh token from google you have to pass the parameter "access_type"
>> with a value "offline". This is not part of the spec per se.
>>>
>>> 5. Obviously as you said more work need to be done for removing token,
>>> Authorizer..
>>> for iOs we have an epic AGIOS-188 [3] for all Oauth2 work. Checking
>>> Android tickets, I was a bit surprised by AGDROID-244 and AGDROID-242,
>>> does it mean support for OAuth?
>> I would like it. After the PR is merged passos and I should have this
>> scheduled. I am sure these will not be a priority but it is a nice to have.
>>>
>>> Good work! Need to look into AGIOS-145 refresh token and (newly
>>> created) AGIOS-190 AuthzService to catch up with you guys.
>>>
>>> ++
>>> Corinne
>>>
>>> [1] https://github.com/secondsun/aerogear-android-oauth2-demo
>>> [2]
>>> https://github.com/aerogear/aerogear-ios-cookbook/blob/master/GoogleDrive/GoogleDrive.md#google-setup-optional
>>> [3] https://issues.jboss.org/browse/AGIOS-188
>>>
>>> On 27 Apr 2014, at 08:55, Corinne Krych <corinnekrych at gmail.com> wrote:
>>>
>>>>
>>>> Yep same here i'd love to review it an compare with iOS version. I'll
>>>> send feedback next week too.
>>>> ++
>>>> Corinne
>>>>
>>>> On Friday, April 25, 2014, Bruno Oliveira <bruno at abstractj.org> wrote:
>>>> Hi Summers, not sure about the timing. But I would like to review on the
>>>> next week.
>>>>
>>>> On 2014-04-24, Summers Pittman wrote:
>>>>>
>>>>>
>>>>> https://github.com/aerogear/aerogear-android/pull/146
>>>>>
>>>>> This PR is 1) big and 2) incomplete
>>>>> (https://issues.jboss.org/browse/AGDROID/component/12319553). However,
>>>>> it represents a certain set of functionality and I want to get
>>>>> feedback/cleanup/merge before I continue making it even bigger.
>>>>>
>>>>> I would be EXCITED if someone can review this monster. If it needs to
>>>>> be cut up and submitted piecemeal to make it more digestible I will also
>>>>> take feedback on how to do that.
>>>>>
>>>>> Summers
>>>>>
>>>>> --
>>>>> Summers Pittman
>>>>>>
>>>>>>>
>>>>>>> Phone:404 941 4698
>>>>>>> Java is my crack.
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> aerogear-dev mailing list
>>>>> aerogear-dev at lists.jboss.org
>>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>>
>>>>
>>>> --
>>>>
>>>> abstractj
>>>> _______________________________________________
>>>> aerogear-dev mailing list
>>>> aerogear-dev at lists.jboss.org
>>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>>
>>>
>>>
>>> _______________________________________________
>>> aerogear-dev mailing list
>>> aerogear-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>>
>>
>>
>> --
>> Summers Pittman
>>>> Phone:404 941 4698
>>>> Java is my crack.
>>
>> _______________________________________________
>> aerogear-dev mailing list
>> aerogear-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/aerogear-dev
>
> --
>
> abstractj
> _______________________________________________
> aerogear-dev mailing list
> aerogear-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/aerogear-dev
More information about the aerogear-dev
mailing list