androidiosoauth-2.0app-secret

Android/IOS Secret expiration management with client credentials flow

I'd like to know if there is any strategy for managing secret expiration in mobile devices.

In a scenario where an authorization server allows a mobile client to authorize against him using a resource owner password flow in combination with client credentials, with the client secrets having an expiration time.

I've seen there are ways to safely store secrets on Android apps at least, but, how do you manage the secret expiration without publishing a new version of the app?

Solution

  • This is how we have done in our App following OAuth Refresh Token Standards.

    Step 1: Your API should be sending a standard Auth Token Response as stated here

     HTTP/1.1 200 OK
 Content-Type: application/json;charset=UTF-8
 Cache-Control: no-store
 Pragma: no-cache

 {
   "access_token":"2YotnFZFEjr1zCsicMWpAA",
   "token_type":"example",
   "expires_in":3600,
   "refresh_token":"tGzv3JOkF0XG5Qx2TlKWIA",
   "example_parameter":"example_value"
 }

    Step 2: Save that response in Shared Preferences/Local Cache/Local Database, we used Shared Preferences (assuming accountToken is Object of class created from Response of Auth Token)

    SharedPreferences.Editor editor = getContext().getSharedPreferences("AUTH_PREFS_NAME", Context.MODE_PRIVATE).edit();
editor.putString("AUTH_ACCESS_TOKEN_KEY", accountToken.getAccess_token());
editor.putString("AUTH_REFRESH_TOKEN_KEY", accountToken.getRefresh_token());
editor.putLong("AUTH_EXPIRES_IN_KEY", accountToken.getExpires_in());
editor.putLong("AUTH_TIME_SAVED_KEY", ((int) (System.currentTimeMillis() / 1000)));
editor.commit();

    Step 3: Each time you have to use saved Access Token, make sure it is not expired

    public boolean needsTokenRefresh(String accessToken) {
    if (accessToken == null || accessToken.length() == 0) {
        // no access token to refresh. Don't refresh.
        return false;
    }

    SharedPreferences pref = mContext.getSharedPreferences("AUTH_PREFS_NAME", Context.MODE_PRIVATE);
    String refreshToken = pref.getString("AUTH_REFRESH_TOKEN_KEY", null);
    if (refreshToken == null || refreshToken.length() == 0) {
        // no refresh token. Can't refresh.
        return false;
    }

    Integer timeSaved = pref.getInt("AUTH_TIME_SAVED_KEY", 0);
    if (timeSaved == 0) {
        // No recording of having saved the token. Don't refresh.
        return false;
    }

    long expiresIn = pref.getLong("AUTH_EXPIRES_IN_KEY", 0);
    int now = (int) (System.currentTimeMillis() / 1000);
    int timePassed = Math.abs(now - timeSaved);
    boolean expired = false;
    if (expiresIn <= timePassed) {
        expired = true;
    }
    return expired;
}

    If needsTokenRefresh() returns false then use the saved Auth Token. If it returns true then go to next step.

    Step 4: Make Auth call again with grant_type set as refresh_token as stated in standards

    Step 5: Auth call should return Standard Auth Response as described in Step 1 with token refreshed and new refresh_token