How to manage Oauth access token in android and its flow between activities?

2
votes

I have built an Rest API using rails and doorkeeper. I'm using assertion grant flow and facebook login to create and login user in android client.

I've successfully logged in and got access token from my server using retrofit. The access token has token, refresh_token, token_type, expires_in and created_at info.

I have following option to manage and maintain this token while user is browsing my android app.

  1. Save all the info from access token in SharedPreferences when user opens the app and logs in. And now it leads to main activity on successful login, I access shared preferences and access api using the token.
  2. Second option is, I pass the access token object as parcelable object and get access_token in next activity using this object.

I can check if the access_token is expired by comparing it with current time and created_at time. everytime before accessing the api. If it does expire, I access a new token using refresh_token.

I think both of the above approaches leads to code duplication and repeating the same thing.

  1. If there is any other approach to do it, that'll be great as well. I think it'd be great if my retrofit client can manage whether token is expired or not and if it does expire, it should request a new token. In short I'm thinking of using some sort of Interceptor. But I don't how to do it.

Which of the above approach is more suitable.

Thanks!

2
androidoauthaccess-tokenretrofit
I guess this other question might answer this one. stackoverflow.com/questions/30485858/…wmac
Possible duplicate of Use `SharedPreferences` to store authentication tokenwmac

2 Answers

0
votes

You should store your data in a singleton after login so that you can access it anywhere in the app.

Then you can if you use OkHttp with retrofit you can use OkHttp's interceptor like described in this post to refresh the token when expired.

0
votes

I think that the most reliable approach is extending you Application class, and manage there every process you might want to do with the token.

In this way you have a single common place with which all your activities can interact - avoiding code duplication. Furthermore, it's the very first class that is called, so that you can be sure that the next time your app is called, your first activity will be already able to use the token.

For data persistence, I highly suggest to store all the information in the SharedPreferences. After all, they have been thought exactly for this purpuse.

AndroidManifest.xml

[...]
<application
        android:name="com.yourpackage.YourApp"

[...]

YourApp.java

public class YourApp extends Application {

    private static YourApp sInstance;

    String accessToken;

    @Override
    public void onCreate(){
        super.onCreate();

        sInstance = this;

        accessToken = retrieveTokenFromSharedPrefs();

    }

    public static YourApp getInstance() {
        return sInstance;
    }

    private String retrieveTokenFromSharedPrefs() {
        // get your access token from SharedPrefs
    }

    private void setToken(String token) {
        accessToken = token;
        // save your access token in the SharedPrefs
    }

    public String getAccessToken() {
        return accessToken;
    }

    public boolean hasLoggedIn() {
        return getAccessToken() != null;
    }

    public boolean hasTokenExpired() {
        // ecc..
    }

}

And then access to the methods using

YourApp.getInstance().getAccessToken();