Everything about token authentication and how to implement it in Android: Part 1
What are Access Tokens?
I heard the term ‘Access token’ the very first time when I was using the Facebook SDK for social login. At first, it was really hard for me to understand why we developers put so much effort into attaching this ‘useless’ token on every API calls. Then, as we evolve as a good developer/programmer, we start bothering about the security aspects of an application or website or whichever software we are working on. Let me put it this way, Let’s presume everyone has watched at least one Harry Potter movie. The common rooms in Hogwarts school have got a password to enter. And only the members of the house know their common rooms password. It’s the same about token authentication. You provide the correct access token, and the common APIs will be opened up for you.
Wiki says, An access token is an object encapsulating the security identity of a process or thread. A token is used to make security decisions and to store tamper-proof information about some system entity.
Why you should use token authentication?
Research shows that there are between 60–90 apps installed on the average smartphone. And more than 90% of them would be relying on the access token mechanism to provide additional security to their APIs. This is called OAuth 2.0. We will get into detail later on this topic. If you look closer, applications that keep a user session tend to implement this token authentication mechanism. Very delicate applications like banking apps, UPI apps, social media apps, etc are keeping a huge amount of personal data of its users. If it gets into the wrong hands, say a hacker or someone, then he can abuse these data for his gains. Take the Instagram application for example. What if Instagram was token authentication free? And now, there is an API called getUserDetails() with a parameter username. I can simply put the API on a web browser or Postman and search and find millions of users’ data in one click.
Enter token authentication for your help. Now, no hacker or any other intruders can get through your APIs until or unless he provides an exact access token. Well, if he gets his hands to the access token as well, then we will have to look for a stronger security structure. Let’s talk about that later.
How to implement token authentication?
Think there are 3 users. Harry, Ron, and Hermione. Each of them logs into their Hogwarts account by calling the API login() using their username and password. If the username and password are correct, the API will give a positive response, and along with it, a string called ‘access_token’ as well. The access token will be generated based on the information they have just provided. Such as username and password. So, every access token will be unique. Access token of Harry’s would be different from Ron’s. It will be entirely different when compared with Hermione’s. Now, Harry can search for the latest Quidditch match fixtures using the API getQuidditchMatchFixtures() and Ron can search for how to pronounce the spells the right way using the API getSpells() and of course Hermione can read all the books by using the API getBooks(). A different access token will be generated if they try to logout from the app and then login again. The chances that Lord Voldemort can recreate or fabricate this access token will be difficult. But, it’s not impossible. We have to make Voldemort’s life difficult at any cost. Since he is the greatest wizard of all time, it wouldn’t be that difficult for him to guess the access token of his enemies. Right? But even then it will take him some time to guess or find the exact access token. If the records say he can guess or find the correct token in 5 minutes, then it’s trouble. Well, what Voldemort doesn’t know is the fact that we can set an expiry time for all these access tokens. And we are going to set that expiry time as 4 minutes. Now, that is a brilliant move. By the time Voldemort has found the access token, it will be useless. Now pat yourself on the back. You have just beaten the dark lord. Good job.
How to refresh the access token?
Since you have set a limited time for the access tokens, it will expire after that time. Like Voldemort, Harry, Ron, and Hermione also won’t be able to use the Hogwarts app unless they get the latest access token. How you are planning to regenerate the access token? The easiest way is to ask or prompt your users to log in again. But do you think it is advisable to ask Hermione to log in again while she is on half of her book? I prefer not. At the end of the day, user experience matter. Your users need not have to know you are fighting against You-Know-Who. Don’t worry. We have a solution for that as well. Another API called getrefreshToken(). When you know that, your access token is expired, then you simply call the API getrefreshToken() with a parameter, refresh_token.
Wait…So now there is another API called getrefreshToken()??? Seriously? I’m done. I’m out of here. Is probably what you are thinking. I know that feeling. Been there, done that. Hang in there for a bit. We will get to that. Earlier, when we logged into the app using the username and password we only got a positive response with the access_token. Now, we will get one more string along with the access_token. It’s called, refresh_token. Take a wild guess. Yes. You are correct. We will use this refresh_token to call the API, getrefreshToken() and that API will give us the latest access_token and a refresh_token.
Explaining it one more time. You call the API login() and you will get the access_token and refresh_token. After the set expiry time, the access_token expires and you will have to get the latest one to continue using the app. Since you are an amazing developer, and you care about your users, you don’t make them log in to the app again. Instead, you will call the getrefreshToken() API with the refresh_token ( one which you got after calling the login() API ) and you will get a new access_token and refresh_token. This access_token will also expire after the set expiry time. What you will do then? Call the getrefreshToken() using the latest refresh_token and you will again get a new set of access_token and refresh_token. This process continues in a loop until the user decides to log out from your app.
What’s next?
I’m sorry guys. That’s a bit too much theory. I know. No more theory, I promise. Now I’ll bore you to death using the programming part. Where the actual work happens. I’ll be implementing it on Android using the retrofit library. Writing the code in Kotlin. After reading this, if you feel like I missed any important part, Or if I messed up something, please do comment. If you like it, share it with your fellow wizards. The next part will be here in no time. Happy coding, people.
Originally published at http://ducttapeprogrammer.wordpress.com on February 21, 2020.
