InfoSpace Tech Blog

Feedly OAuth2 Authentication Workflow in Android

| | Comments

Androidtm supports the ability for users to pass OAuth2 credentials stored on their device straight to Googletm Services (as documented here: http://developer.android.com/google/play-services/auth.html). But let’s say you want to authenticate against a non-Google service such as Feedly (http://developer.feedly.com) using your Google account credentials.

Google does not permit the OAuth2 Access Tokens stored on your device to be sent to anyone besides a Google Service. From a security standpoint this is exactly what the user wants, otherwise a malicious app could hijack the users Google OAuth2 token. We want to avoid situations where the user entering Google credentials on a non-Google controlled environment.

So what is the appropriate workflow for a service which wishes to utilize Google purely as an authentication mechanism? Feedly looks something like this:

  • User makes login request to Feedly
  • Feedly responds with an authentication url – this is controlled and generated by Google
  • User browses to authentication url
  • User submits credentials
  • Google validates credentials
    • If valid, Google notifies Feedly and redirects User to a new URL with a special short lived code generated by Feedly
    • If not valid, user can attempt authentication again
  • Once validated, Feedly Local Client retrieves code from URL
  • Feedly Local Client uses code against Service to obtain a refresh token and access token

At this point the user is validated against the Google OAuth2 credentials. The client app consuming the 3rd party service (feedly) can be reasonably certain the person logged in should have access to the login information. Because of this, the client app should be permitted to make API calls against the 3rd party service call utilizing the access token. Again, since the access token was generated based on a successful OAuth2 authentication against the user’s Google account, we can be reasonably confident that any requests made with the access token can be made on behalf of the previously authenticated OAuth2 account.

On a web/mobile web app the login process will look fairly seamless. Basically a series of quick redirects with some pauses in the workflow for user login input.

On a native Android application, an HTTP request running asynchronously in the background cannot be used from start to finish since at some point the user must enter credentials in the Google Authentication URL webpage. To do this we must embed a WebView within the application.

We recently went through the exercise of putting together a proof-of-concept Android application which leveraged the Feedly API. While doing so we noticed the Authentication piece is fairly boilerplate code and follows the workflow of many other OAuth2-exposed APIs.

If you wish to view our implementation or use it in your Android application as a Library project the code is accessible here:

https://github.com/infospace/android_oauth2_webview

As we want to provide a high level of device coverage, we used the compatibility library fragments. There is even a framework in place to create calls to the various Feedly API methods. See com.infospace.feedly.requests.RetrieveSubscriptionsRequests.java in the github repo for reference if you wish to look into creating more Feedly API requests.

Simply import the Android library project to integrate it with your existing Fragment-based Android project. When you wish to display the authentication portion, all you have to do is initialize some helper classes on activity start, and then push the fragment. Once the user authenticates the fragment automatically saves the refresh/access tokens for further use within the application.

If you have any questions please leave a comment!

Android and Google are trademarks of Google Inc.

Comments