Android oAuth2 API/SDK

Comments

3 comments

  • Andreas Gnutzmann

    Hi Ilian,

    Generally, our experience is that OAuth frameworks usually are more effort than gain. Although OAuth2 is a standard, it allows for quite a lot of freedom on how it's implemented.

    I would therefore recommend implementing the Authentication flow in proprietary code. There are a few examples on learn.fotoware.com on how to do this. The examples are usually in Javascript but can easily be ported to Java.
    https://learn.fotoware.com/Integrations_and_APIs/Authorizing_applications_using_OAuth/Postman_OAuth_request_examples

    Best regards,

    Andreas

    1
    Comment actions Permalink
  • Florian Winter

    Hi,

    Unfortunately, I also cannot recommend any existing SDKs for Android, but would be interested if you find one that is useful.

    To ensure the security of a custom implementation, we recommend the following:

    1. Always use the correct authentication flow for mobile applications.
    2. Always use authorization code flow (see previous point), not implicit flow (although it may seem easier).
    3. Note that PKCE is mandatory for native applications, not optional, as the OAuth2 standard says.
    4. Consider using app links in Android as OAuth2 redirect URLs to ensure authorization codes are securely delivered to your app and only to your app.
    5. Use refresh tokens to make a user "stay logged in" and not see a consent dialog every time they use the app. This ensures that users only see the consent dialog on first login and do not get used to it and ignore it. Remember that if you use refresh tokens, you may also want to provide a "Logout" button which deletes the refresh token, so a user can "disconnect" the app or log in with a different account.

    Finally, FotoWare does provide an open source example application, which is also hosted publicly so you can test your application registration. Please note that this example application implements all the different authentication flows, and that, again, you have to use the "Native application" flow for mobile apps.

    0
    Comment actions Permalink
  • Ilian Felinto

    Guys! Thanks to Mr. Nahtan Jeynes (Medialogix), I was able to make it work!

    I'm sorry to say there is a bug at the Site Configuration via FotoWare UI. When I tried to add a custom scheme there, as mentioned on my previous post, I got the error below:

    Thanks to Nathan, I found out that this can be done via the old site-configuration IE interface.

    Please fix this whenever possible! Thanks!

    0
    Comment actions Permalink

Please sign in to leave a comment.