Google Play services and OAuth Identity Tools

Posted by Tim Bray

    The rollout of Google Playservices to all Android2.2+ devices worldwide is now complete, and all of those devices now have newtools for working with OAuth 2.0 tokens. This is an example of the kind ofagility in rolling out new platform capabilities that Google Play servicesprovides.

Why OAuth 2.0 Matters

    The Internet already has too manyusernames and passwords, and they don’t scale. Furthermore, your Android device has a strongnotion of who you are. In this situation, the industry consensus is that OAuth2.0 is a good choice for the job, offering the promise of strong security minuspasswords.

    Google Play services make OAuth2.0 authorization available to Androidapps that want to access Google APIs, with a good user experience and security.

    Typically, when you want your Android app to use a Googleaccount to access something, you have to pick which account on the device touse, then you have to generate an OAuth 2.0 token, then you have to use it inyour HTTP-based dialogue with the resource provider.

    These tasks are largely automatedfor you if you’re using a recent release of the GoogleAPIs Client Library for Java; the discussion here applies if you want to access the machinerydirectly, for example in sending your own HTTP GETs and POSTs to a RESTfulinterface.

Preparation

    Google Play services has juststarted rolling out, and even after the rollout is complete, will only beavailable on compatible Androiddevices running 2.2 or later. This is the vast majority, but there will bedevices out there where it’s not available. It is also possible for a user tochoose to disable the software.

    For these reasons, before you canstart making calls, you have to verify that Google Play services is installed.To do this, call isGooglePlayServicesAvailable(). The result codes, and how to deal with them, aredocumented in the ConnectionResult class.

Choosing an Account

    This is not, and has never been,rocket science; there are many examples online that retrieve accounts from Android’s AccountManager anddisplay some sort of pick list. The problem is that they all have their ownlook and feel, and for something like this, which touches on security, that’s aproblem; the user has the right to expect consistency from the system.

    Now you can use the handy AccountPicker.newChooseAccountIntent() method to give you an Intent; feed it tostartActivityForResult() and you’ll launch a nice standardized user experiencethat will return you an account (if the user feels like providing one).

    Two things to note: When you’retalking to these APIs, they require a Google account (AccountManager can handlemultiple flavors), so specify GoogleAuthUtil.GOOGLE_ACCOUNT_TYPE argument as the value for the allowableAccountTypes argument. Second, you don’t need an android.accounts.Account object, you just usethe email-address string (available in account.name) that uniquely identifiesit.

Getting a Token

    There’s really only one methodcall you need to use, GoogleAuthUtil.getToken(). It takes three arguments: a Context, an email address,and another string argument called scope. Every information resource that iswilling to talk OAuth 2.0 needs to publish which scope (or scopes) it uses. Forexample, to access the Google+ API, the scope is oauth2:https://www.googleapis.com/auth/plus.me. You can provide multiple space-separated scopes in onecall and get a token that provides access to all of them. Code like this mightbe typical:


    In an ideal world, getToken()would be synchronous, but three things keep it from being that simple:

  1. The first time an app asks for a token to access some resource, the system will need to interact with the user to make sure they’re OK with that.
  2. Any time you ask for a token, the system may well have a network conversation with the identity back-end services.
  3. The infrastructure that handles these requests may be heavily loaded and not able to get you your token right away. Rather than keeping you waiting, or just failing, it may ask you to go away and come back a little later.

    The first consequence is obvious;you absolutely can’t call getToken() on the UI thread, since it’s subject tounpredictable delays.

    When you call it, the followingthings can happen:

  • It returns a token. That means that everything went fine, the back-end thinks the authorization was successful, and you should be able to proceed and use the token.
  • It throws a UserRecoverableAuthException, which means that you need to interact with the user, most likely to ask for their approval on using their account for this purpose. The exception has a getIntent() method, whose return value you can feed to startActivityForResult() to take care of that. Of course, you’ll need to be watching for the OK in the onActivityResult() method.
  • It throws an IOException, which means that the authorization infrastructure is stressed, or there was a (not terribly uncommon on mobile devices) networking error. You shouldn’t give up instantly, because a repeat call might work. On the other hand, if you go back instantly and pester the server again, results are unlikely to be good. So you need to wait a bit; best practice would be the classic exponential-backoff pattern.
  • It throws a GoogleAuthException, which means that authorization just isn’t going to happen, and you need to let your user down politely. This can happen if an invalid scope was requested, or the account for the email address doesn’t actually exist on the device.

    Here’s some sample code:

     

 

    This is from a sample library I’ve posted on code.google.com with an AuthorizedActivity class thatimplements this. We think that some of this authorization behavior is going tobe app-specific, so it’s not clear that this exact AuthorizedActivity recipe isgoing to work for everyone; but it’s Apache2-licensed, so feel free to use anypieces that work for you. It’s set up as a library project, and there’s also asmall sample app called G+ Snowflake that uses it to return some statisticsabout your Google+ posts; the app is in the Google Play Store and its sourceis online too.

Registering Your App

    Most services that do OAuth 2.0authorization want you to register your app, and Google’s are no exception. Youneed to visit the GoogleAPIs Console, create aproject, pick the APIs you want to access off the Services menu, and then hitthe API Access tab to do the registration.     It’llwant you to enter your package name; the value of the package attribute of the manifest element in your AndroidManifest.xml.

    Also, it’ll want the SHA1signature of the certificate you used to sign your app. Anyone who’s publishedapps to Google Play Apps knows about keystores and signing. But before you getthere, you’ll be working with your debug-version apps, which are signed with acertificate living in ~/.android/debug.keystore(password: “android”).Fortunately, your computer probably already has a program called “keytool”installed; you can use this to get the signature. For your debug version, acorrect incantation is:

    This will print out the SHA1signature in a nicely labeled easy-to-cut-and-paste form.

    This may feel a little klunky,but it’s worth it, because some magic is happening. When your app is registeredand you generate a token and send it to a service provider, the provider cancheck with Google, which will confirm that yes, it issued that token, and givethe package name of the app it was issued to. Those of you who who’ve done thissort of thing previously will be wondering about Client IDs and API Keys, butwith this mechanism you don’t need them.

Using Your Token

    Suppose you’ve registered yourapp and called GoogleAuthUtil.getToken() and received a token. For the purposesof this discussion, let’s suppose that it’s “MissassaugaParnassus42”. Then allyou need to do is, when you send off an HTTP request to your service provider,include an HTTP header like so:

Authorization: BearerMissassaugaParnassus42

    Then your HTTP GETs and POSTsshould Just Work. You should call GoogleAuthUtil.getToken() to get a tokenbefore each set of GETs or POSTs; it’s smart about caching thingsappropriately, and also about dealing with token expiry and refresh.

    Once again, as I said at the top,if you’re happy using the GoogleAPIs Client Library for Java, it’ll take care of all the client-side stuff; you’ll still need to dothe developer console app registration.

    Otherwise, there’s a little bitof coding investment here, but the payoff is pretty big: Secure, authenticated,authorized, service access with a good user experience.


  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
基于微信小程序的家政服务预约系统采用PHP语言和微信小程序技术,数据库采用Mysql,运行软件为微信开发者工具。本系统实现了管理员和客户、员工三个角色的功能。管理员的功能为客户管理、员工管理、家政服务管理、服务预约管理、员工风采管理、客户需求管理、接单管理等。客户的功能为查看家政服务进行预约和发布自己的需求以及管理预约信息和接单信息等。员工可以查看预约信息和进行接单。本系统实现了网上预约家政服务的流程化管理,可以帮助工作人员的管理工作和帮助客户查询家政服务的相关信息,改变了客户找家政服务的方式,提高了预约家政服务的效率。 本系统是针对网上预约家政服务开发的工作管理系统,包括到所有的工作内容。可以使网上预约家政服务的工作合理化和流程化。本系统包括手机端设计和电脑端设计,有界面和数据库。本系统的使用角色分为管理员和客户、员工三个身份。管理员可以管理系统里的所有信息。员工可以发布服务信息和查询客户的需求进行接单。客户可以发布需求和预约家政服务以及管理预约信息、接单信息。 本功能可以实现家政服务信息的查询和删除,管理员添加家政服务信息功能填写正确的信息就可以实现家政服务信息的添加,点击家政服务信息管理功能可以看到基于微信小程序的家政服务预约系统里所有家政服务的信息,在添加家政服务信息的界面里需要填写标题信息,当信息填写不正确就会造成家政服务信息添加失败。员工风采信息可以使客户更好的了解员工。员工风采信息管理的流程为,管理员点击员工风采信息管理功能,查看员工风采信息,点击员工风采信息添加功能,输入员工风采信息然后点击提交按钮就可以完成员工风采信息的添加。客户需求信息关系着客户的家政服务预约,管理员可以查询和修改客户需求信息,还可以查看客户需求的添加时间。接单信息属于本系统里的核心数据,管理员可以对接单的信息进行查询。本功能设计的目的可以使家政服务进行及时的安排。管理员可以查询员工信息,可以进行修改删除。 客户可以查看自己的预约和修改自己的资料并发布需求以及管理接单信息等。 在首页里可以看到管理员添加和管理的信息,客户可以在首页里进行家政服务的预约和公司介绍信息的了解。 员工可以查询客户需求进行接单以及管理家政服务信息和留言信息、收藏信息等。

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值