0

I am creating an Android app that will be using a Django backend, along with the Django Rest Framework. I have been reading the OAuth2 documentation, but am still struggling to understand a few key points about its authentication.

These are my main questions/things I'm struggling with:

  • In OAuth2, I am given the oppurtunity to create 'apps'. Would the 'app' in this case be specific to my Android app (and presumably in the future I would create a different one for a potential iOS app?).

  • Will all users of the (Android) app be using the same token, or is each user granted an individualized token?

  • I am using the Volley library for Android to deal with networking. How do I go about getting the Android app to 'store' the needed credentials? Would I be storing the token, id, and secret, or just the token?

If it is worth noting, I do not plan on adding social media logins (Facebook, Google, etc) I will just have login be with a username and password.

I'm sorry if these questions seem a bit elementary, this is my first experience will authentication of any sort.

Thank you

ethanzh
  • 133
  • 2
  • 5
  • 19

1 Answers1

3

I'll be using the word "app" to mean two different things:

  1. app, to indicate Oauth2 app, which you'll create to register your mobile app(s)

  2. app, to indicate mobile app.

Answer 1:

An app is basically a way of registering a client (in this case, your mobile app) with the resource server (in this case, you Django backend). You can go either ways, creating two separate apps or a single app for your Android and iOS apps. Unless you are not planning to give users of one app some more privileges or features, I don't see benefit in creating two separate apps.

Answer 2:

Each user is granted a different access token.

Answer 3:

You'll have to store client_id and client_secret in some secure way on your mobile app(s). Because that's what will help you gain an access token for a user, in first place. You'll also store access token after obtaining it, because it will be needed in making authenticated HTTP requests.

For more information on Oauth2 Protocol in general, you can read this answer, and Oauth2 Protocol RFC.

Community
  • 1
  • 1
Amrullah Zunzunia
  • 1,617
  • 16
  • 31
  • Okay thank you so much! One more question just to clarify, **client_id** and **client_secret** will be the same for every phone/app install, but **access token** will be different for every user? – ethanzh Jun 23 '16 at 11:28
  • yes, that's what I wrote above, access token will be different for every user – Amrullah Zunzunia Jun 23 '16 at 12:04