MantasV
MantasV

Reputation: 1495

Token authentication with Volley

If I have a server where I authenticate with username/password and get auth token for subsequent requests, what would be the best approach addressing this problem?

The flow should be like this: - Start request - If we don't have auth token - get it with username and password - Make request with auth token - If request failed because token expired, get new auth token with user name and password - Retry request with new auth token - Finish

I've noticed that Volley already might have something that might solve this issue - Authenticator https://android.googlesource.com/platform/frameworks/support/+/4474bc11f64b2b274ca6db5a1e23e8c1d143d5fa/volley/src/com/android/volley/toolbox/Authenticator.java It contains getAuthToken() and invalidateAuthToken() methods which would be exactly what I want. But it seems that it's never used in the library at all.

Upvotes: 17

Views: 21272

Answers (5)

Gerrard
Gerrard

Reputation: 829

In my case, I changed a "Basic" authentication to a Token authentication as follows:

@Override
public Map<String, String> getHeaders() throws AuthFailureError {
    Map<String,String> headers = new HashMap<>();
    //todo Esta es una authenticación basica (usuario y contraseña)
    /*String credentials = USER+":"+PASSWORD;
    String auth = "Basic " + Base64.encodeToString(credentials.getBytes(), Base64.NO_WRAP);
    headers.put("Authorization", auth);*/
    //todo Esta es una authenticación con token (por tiempos)
    headers.put("Authorization", "Bearer" + " " + "tokenString");//App.getToken()
    return  headers;
}

What I did was to save the Login in a global static variable and then be able to use it.

Upvotes: 0

prajakta waikar
prajakta waikar

Reputation: 1

getToken() failed. Status BAD_AUTHENTICATION error

I also faced the same problem.

Solution: check whether the device is sign-in with your Google account.

Upvotes: -2

cbrulak
cbrulak

Reputation: 15639

Did you see this blog post? https://smaspe.github.io/2013/06/06/volley-part2.html

Demonstrates a simple way of overriding request object to use twitter tokens.

@Override
    public Map<String, String> getHeaders() throws AuthFailureError {
        Map<String, String> headers = new HashMap<String, String>();
        String auth = "Basic "
                + Base64.encodeToString((TwitterValues.CONSUMER_KEY 
                + ":" + TwitterValues.CONSUMER_SECRET).getBytes(),
                        Base64.NO_WRAP);
        headers.put("Authorization", auth);
        return headers;
    }

Upvotes: 1

mjw
mjw

Reputation: 914

I used volley for an authentication system using longlive (LLT) and shortlive (SLT) tokens.

I did it manually but it really wasn't much work once you get it all laid out.

Have all secure requests subclass a baseSecureRequest that can handle this token mechanism common to all secure request in its onResponse() and onErrorResponse().

It becomes a little node.js style, where requests send other requests and await callbacks.


An app may have a dozen screens, with only half requiring auth access - so each screen should be ignorant as to the requirements of its request.

Scenario A

  • We attempt to send a secure request. We notice we don't have a SLT in memory, so make a TokenRequest.
  • TokenRequest's onResponse() saves that token to memory (let a singleton session manager hold onto it or similar omni-present class)
  • Now callback to the original concrete-class request object to continue with the newly updated token.

Scenario B

  • We send a secure request but our SLT is stale (expired)

  • The server returns an error code or msg that you can catch in the general onErrorResponse() of your baseSecureRequest.

  • In this onError(), you send a refreshTokenRequest() object that attempts to refresh the SLT in memory by requesting a new SLT from the server using the LLT.

  • the onResponse() of the refreshTokenRequest can now callback to the original request to resend.

  • however the onErrorResponse() should probably abandon the entire thing because chances are anything that isn't a connectivity error - is an error caused by invalid LLT. If you keep trying to refresh with a bad LLT you will never get out.

Upvotes: 12

Gaurav Agarwal
Gaurav Agarwal

Reputation: 19102

  1. You might want to use the AccountManager API in Android for authentication and authorization. You may follow the blog here.
  2. For OAuth 2.0 server side implementation you may read the IETF draft V2-31 here.
  3. For better understanding of OAuth 2.0 you may read the blog by Nitesh Kumar here.
  4. For Server side implementation of OAuth 2.0 you can fork Apis Autherization Server repo at Github.
  5. More implementation option can be found at the website of OAuth 2.0 here.

Upvotes: 1

Related Questions