JWT – blog.fossasia.org

Implement JWT Refresh token in Open Event Attendee App

Post author:liveHarshit
Post published:September 1, 2019
Post category:Android API Event FOSSASIA GSoC Open Event
Post comments:0 Comments

In open event attendee android app earlier only access token is used, which causes HTTP 401 many time due to expiry of the token. It needs to re sign-in for the user. Now we have implemented refresh token authorization with the open event server using retrofit and OkHttp. Retrofit is one of the most popular HTTP client for Android. When calling API, we may require authentication using a token. Usually, the token is expired after a certain amount of time and needs to be refreshed using the refresh token. The client would need to send an additional HTTP request in order to get the new token. Imagine you have a collection of many different APIs, each of them requires token authentication. If you have to handle refresh token by modifying your code one by one, it will take a lot of time and of course, it's not a good solution. In this blog, I'm going to show you how to handle refresh token on each API calls automatically if the token expires. How refresh token works?Add authenticator to OkHttpNetwork call and handle responseConclusionResources Let’s analyze every step in detail. How Refresh Token Works? Whether tokens are opaque or not is usually defined by the implementation. Common implementations allow for direct authorization checks against an access token. That is, when an access token is passed to a server managing a resource, the server can read the information contained in the token and decide itself whether the user is authorized or not (no checks against an authorization server are needed). This is one of the reasons tokens must be signed (using JWS, for instance). On the other hand, refresh tokens usually require a check against the authorization server. Add Authenticator to OkHTTP OkHttp will automatically ask the Authenticator for credentials when a response is 401 Not Authorised retrying last failed request with them. class TokenAuthenticator: Authenticator { override fun authenticate(route: Route?, response: Response): Request? { // Refresh your access_token using a synchronous api request val newAccessToken = service.refreshToken(); // Add new header to rejected request and retry it return response.request().newBuilder() .header(AUTHORIZATION, newAccessToken) .build() } } Add the authenticatior to OkHttp: val builder = OkHttpClient().newBuilder() .authenticator(TokenAuthenticator()) Network Call and Handle Response API call with retrofit: @POST("/auth/token/refresh") fun refreshToken(): Single<RefreshResponse> Refresh Response: @JsonNaming(PropertyNamingStrategy.SnakeCaseStrategy::class) data class RefreshResponse( val refreshToken: String ) In a Nutshell Refresh tokens improve security and allow for reduced latency and better access patterns to authorization servers. Implementations can be simple using tools such as JWT + JWS. If you are interested in learning more about tokens (and cookies), check our article here. Resources Android - Retrofit 2 Refresh Access Token with OkHttpClient and Authenticator: https://www.woolha.com/tutorials/android-retrofit-2-refresh-access-token-with-okhttpclient-and-authenticatorRefresh Tokens: When to Use Them and How They Interact with JWTs: https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/ Tags Eventyay, open-event, FOSSASIA, GSoC, Android, Kotlin, Refresh tokens

Making the Login fragment in the Open Event Android App

Post author:nikit19
Post published:July 19, 2018
Post category:Android Event Management FOSSASIA GSoC Open Event
Post comments:0 Comments

The first thing that was implemented in the Open Event Android app was the login screen. This is because there were many API endpoints which cannot be accessed without an auth token. Let’s see how this was implemented. JWT token Firstly let’s talk about what is this token that I mentioned. The token is JWT (Javascript Web Token) which includes certain information about the user, such as identifier and information about if the token is valid, when will it expire and a signature to verify if it was tampered. Code Let’s have a look at the code in the Login fragment. Firstly we have a boolean to check if the user should login or not. If this variable is true we will send the user to the MainActivity. Next if the user clicks on the login button we will check the username and password and then the we will decide whether to show the progress bar or not. If the user encounters an error while logging in that error is shown to the user in a toast message. if (loginActivityViewModel.isLoggedIn()) redirectToMain() rootView.loginButton.setOnClickListener { loginActivityViewModel.login(username.text.toString(), password.text.toString()) } loginActivityViewModel.progress.observe(this, Observer { it?.let { showProgress(it) } }) loginActivityViewModel.error.observe(this, Observer { Toast.makeText(context, it, Toast.LENGTH_LONG).show() }) loginActivityViewModel.loggedIn.observe(this, Observer { Toast.makeText(context, "Success!", Toast.LENGTH_LONG).show() redirectToMain() }) All these methods and variables are declared in the ViewModel so let’s have a look there to understand them. All our variables are of the type LiveData, this is the reason why we are using the observe method in the login fragment. The observe method is used to observe these variables and whenever their value is changed it notifies the observer. In the login function we are sending a request to the server in a background thread. val progress = MutableLiveData<Boolean>() val error = SingleLiveEvent<String>() val loggedIn = SingleLiveEvent<Boolean>() fun isLoggedIn() = authService.isLoggedIn() fun login(email: String, password: String) { if (email.isNullOrEmpty() || password.isNullOrEmpty()) { error.value = "Email or Password cannot be empty" return } compositeDisposable.add(authService.login(email, password) .subscribeOn(Schedulers.io()) .observeOn(AndroidSchedulers.mainThread()) .doOnSubscribe { progress.value = true }.doFinally { progress.value = false }.subscribe({ loggedIn.value = true }, { error.value = "Unable to Login. Please check your credentials" })) } Finally lets have a look at the login function of the AuthService class that was used above. We will throw an exception if the username or password is empty. Otherwise we will send a POST request to the server with the username and password. Then we will store the JWT access token which will be used when we will access the endpoints of the server. fun login(username: String, password: String): Single<LoginResponse> { if (username.isEmpty() || password.isEmpty()) throw IllegalArgumentException("Username or password cannot be empty") return authApi.login(Login(username, password)) .map { authHolder.token = it.accessToken it } } This is how the POST request for login looks @POST("../auth/session") fun login(@Body login: Login): Single<LoginResponse> This all that is required to create the login fragment. Resources ReactiveX official documentation : http://reactivex.io/ Vogella RxJava 2 - Tutorial : http://www.vogella.com/tutorials/RxJava/article.html JWT token Wikipedia: https://en.wikipedia.org/wiki/JSON_Web_Token

Invalidating user login using JWT in Open Event Orga App

Post author:Areeb Jamal
Post published:July 23, 2017
Post category:Android Event Event Management FOSSASIA GSoC Open Event
Post comments:0 Comments

User authentication is an essential part of Open Event Orga App (Github Repo), which allows an organizer to log in and perform actions on the event he/she organizes. Backend for the application, Open Event Orga Server sends an authentication token on successful login, and all subsequent privileged API requests must include this token. The token is a JWT (Javascript Web Token) which includes certain information about the user, such as identifier and information about from when will the token be valid, when will it expire and a signature to verify if it was tampered. Parsing the Token Our job was to parse the token to find two fields: Identifier of user Expiry time of the token We stored the token in our shared preference file and loaded it from there for any subsequent requests. But, the token expires after 24 hours and we needed our login model to clear it once it has expired and shown the login activity instead. To do this, we needed to parse the JWT and compare the timestamp stored in the exp field with the current timestamp and determine if the token is expired. The first step in the process was to parse the token, which is essentially a Base 64 encoded JSON string with sections separated by periods. The sections are as follows: Header ( Contains information about algorithm used to encode JWT, etc ) Payload ( The data in JWT - exp. Iar, nbf, identity, etc ) Signature ( Verification signature of JWT ) We were interested in payload and for getting the JSON string from the token, we could have used Android’s Base64 class to decode the token, but we wanted to unit test all the util functions and that is why we opted for a custom Base64 class for only decoding our token. So, first we split the token by the period and decoded each part and stored it in a SparseArrayCompat public static SparseArrayCompat<String> decode(String token) { SparseArrayCompat<String> decoded = new SparseArrayCompat<>(2); String[] split = token.split("\\."); decoded.append(0, getJson(split[0])); decoded.append(1, getJson(split[1])); return decoded; } The getJson function is primarily decoding the Base64 string private static String getJson(String strEncoded) { byte[] decodedBytes = Base64Utils.decode(strEncoded); return new String(decodedBytes); } The decoded information was stored in this way 0={"alg":"HS256","typ":"JWT"}, 1={"nbf":1495745400,"iat":1495745400,"exp":1495745800,"identity":344} Extracting Information Next, we create a function to get the expiry timestamp from the token. We could use GSON or Jackson for the task, but we did not want to map fields into any object. So we simply used JSONObject class which Android provides. It took 5 ms on average to parse the JSON instead of 150 ms by GSON public static long getExpiry(String token) throws JSONException { SparseArrayCompat<String> decoded = decode(token); // We are using JSONObject instead of GSON as it takes about 5 ms instead of 150 ms taken by GSON return Long.parseLong(new JSONObject(decoded.get(1)).get("exp").toString()); } Next, we wanted to get the ID of user from token to determine if a new user is logging in or an old one, so…