Using OAuth 2.0 in an Android app
OAuth is an open standard for authorization. It allows service providers to share information with third-party applications without compromising the credentials of the user. In other words, using OAuth, services as Twitter or Facebook can give apps access to their information in a safe way.
As users of these services, we can authorize a third-party application to use the information stored on the service on our behalf. During this process, the third-party application has no access to the credentials of the user, neither email nor password.
What is OAuth and who uses it?
The use of OAuth has spread since 2010, when the first version (OAuth 1.0) of the protocol was released.
OAuth 2.0 was published on October 2012. As well as Twitter and Facebook some other services that currently use implementations of OAuth are LinkedIn, Flickr, Strava, Dropbox and Instagram. These services provide a public API that gives access to its own information and that uses OAuth to give access to this API.
These APIs are used to implement applications (generally web application or mobile apps) that make use of the user’s information stored on these services.
As the most of the services currently support it, I’m going to focus on OAuth 2.0 in this post.
To illustrate its usage, we are going to implement a simple process of authorization on LinkedIn in an Android Application.
Who’s who in OAuth 2.0?
We can define three different roles on the protocol OAuth 2.0 they are:
- The Third-Party Application or Client. This is our Android App. Generally speaking, it’s the App that wants to gain access to the user’s data.
- The API or Resource Server. This is the service provider that stores the user’s information and gives secure access to the Client.
- The User or Resource Owner. The user of our third-party application, and the owner of the information stored on the Resource Server, who gives permission to the client to access its data.
Creating an Application in the Resource Server
Now we know the different roles within the protocol we’re going to start with a practical example of usage.
Our third-party application is going to be an Android App that will ask for the user’s permission to use their information stored on LinkedIn.
The first step is to create an application in the LinkedIn developer page. For this we need an account in LinkedIn (if you don’t have one yet, what are you waiting for? It’s free!)
Once we are logged in, we click on “Add New Application”. We are going to fill in only the mandatory fields with data. In the section “OAuth User Agreement” we specify which information we want to access from our app. We are going to check only the first option as we only want to access the basic profile information of the user.
If everything goes well, we will see something like this:
Now we have all we need to request an Access Token. An access token is a key unique for a user and API Key. The access token doesn’t give access to the user information itself – we will need to trade it for an Authorization Code.
Our Android Application
You can take a look at the code for, or even clone on your machine, this project in the GitHub repository. Remember to include your own keys on the MainActivity.java file before execute it.
This Android app is very simple, we only have two activities: one to manage the authorization process (MainActivity.java) and another to retrieve some information about the authorized user (ProfileActivity.java).
The authorization process follows these steps:
- Load the authorization url on a WebView. This url will show to the user a form where she can enter her username and password and grant the permissions the application is asking for.
- Once the user has entered their authorization details the server will redirect to the url we provided. In this url we’ll find the authorization token – which we will trade for the actual access token.
- We will use the access token to make a request to the API for the user details and we’ll show the response in the ProfileActivity.java.
Remember that this process can vary depending on the service we want to access to, so we have to read the documentation that the service provides.
In this case, we can take a look at the LinkedIn authentication documentation, where we can find a detailed guide about how to gain access to the LinkedIn API and how to make requests.