Using Android AccountManager to authenticate users for a server
I'm writing an Android application which has a server connection. I would like to authenticate the app's user on the Android device and let the server know this has been done.
Assuming the user has:
- entered his/her credentials in the Android device for Google and Facebook (these are the ones I'm currently interested in)
- allowed the application to use the stored credentials on the Android device
- the application acquired the details (account user and token) from Android's AccountManager successfully
I would like now to correctly and securely let the server know the app on the device has authenticated the user. How can the server validate that this isn't bogus? Is there a way to validate a token with Google and Facebook on a server without requiring user interaction?
you should take a look at this question: Generating Device-Specific Serial Number
you can take the account name based on the service it uses, like:
AccountManager am = AccountManager.get(this); // "this" references the current Context Account accounts = am.getAccountsByType("com.google");
but you must declare it in manifest and ask the user to validate the permission.
Although, it might not be a good idea to use your retrieved token and save it, or transmit it to your server, there might be other ways to let your server know that the authentication has completed.
It might not be a fill-proof method, but depending on your use-case, it might work.
AccountManagerFuture interface has a callback isDone(), which says that now you can retrieve your token. That, essentially means, that the authentication has happened, after the user has given the permission for your app to use a specific account.
Else, if you are using AccountManagerCallback for your code, you can know, in code, that authentication has happened, right after you try to retrieve the token for the account.
In either of these cases, you would then have to make a call to your server, letting it know that authentication has happened. I don't really know if you need to send out the token to your server also. But, if you wish, I guess, you could do that.
There are a few ways to do this while attempting to make sure its not 'bogus'. One, on initial authentication (where you get the users account info), get their device ID as well as their location (not precise location, but using their IP address you can get a region of sorts). That way, if someone were trying to authenticate with false credentials, it would stop them. I recommend letting the actual user know that someone is attempting to do this by sending them an email. You could also on initial authentication have the user set up a pin or password, which is then saved on the device. Send a hashed version of the pin to the server and check that every time the user authenticates.
I could be completely off by what your trying to accomplish as the description is more psuedo than anything, but i hope this helped