Utilising Security in android for Authentication and Authorization for Android

I would be using mongo db to perform all basic operations no need for firebase so you can see clearly how the whole process is hhandled

🚀 About Me

I'm an android developer building this porject for and hands on with server side related authentication

Tech Stack

Client: Kotlin, Jetpack Compose, Dagger Hilt, Kotlin Serializer, Retrofit,Compose Navigation, Google Auth, Data Store Preferences, Coil

Server: Ktor, Koin, Kmongo and google client api library

Documentation

Client Server Side Authentication: The backend server would use ktor framework(image). PSs use wire shark to track network activity

Authentication & Authorization:

Authentication process of verifying who the users are. Authorization verifying what oermission user has.

ID Token

ID token is proof that user is authenticated. It represents a jwt(json web token)standard that allows app to inspect its content that it comes from expected issuer. It is not readable by normal eyes.

If you request a sign-in id from google. It would uses its private key to sign our token id and then when we receive it we use google public to verify that its sent by google.

Id token demonstrates that user has been authenticated by an entity you trust(OPenId Provider -Google for example) and so you can trust the claims about their entity. We can personalise the user experience by using the claims about the user that are included in the token. Id token is not encrypted but BAse64 encoded.

ACCESS TOKEN:

It allows client application to access a specific resource in order to perform a certain action on behalf of the user

You have control over which app uses the token. For example you can give access to the file so to know it can be accessed not removed. Before giving access you can can see the permissions needed within a scope.

Scopes are list of permissions required by applications which you are authorising to access a resource. Scopes are mechanism that allows user to authorise a 3rd party application to perform only a specific set of instructions. Also known as jet

Format of an access token can be a string in any format common format is jwt format with id token. Access token must be confidential both in transit and storage.

The only parties that should see the token is application itself ,the authorisation server and resource server. The application should only be used in secured https connection. If you pass it through an unencrypted channel it can be stolen and modified.

OAuth2/OPenId

OAuth2 is an authorization framework that delegates user Authentication to the service Provider(google) that hosts the user account, and authorizes third party applications to access the user account.

It defines 4 diffferent roles:

1. Resource Owner: Its the user who authorizes an application to access the account.
2. Client: The application that wants to access the user account before it access it must be authorized and validated by the api.
3. Resource Server: Hosting that protects user account
4. Authorization Server: It verifys the identity of the user and issues access token to the application.

OPenIdConnect

OPenIdConnect: Its an identity layer built on OAuth2 the highest level. it is a secure mechanism for the application to contact the identity service to get some user details and return in a secured way

id token

OAuth2 is about resource access and sharing and OPenIdConnect is about Authentication. Its purpose is to give one login for multiple sites.

JSOn Web Token

Its an open stand (RFC 7510) that defines a compact and self-contained way for securely transmiting information between parties as a JSON object. It can be verified and trusted because its digitally signed.

Jwt can also be signed using a secret with the HMAC algorithm or a public/private key pair using RSA or ECDSA.JWT is to hold or transfer claims to the other side. iTs commonly used for message exchange or authorization

Most Common Scenario

when establishing communication i would use session cookies. Trying other ways

JWT structure consists of three part seperated by a dot. Header payload(contians claims(registered:predefinedclaims, public, private:custom claims)) and signature takes encoded header, payload and secret an assigns jwt./signed token is readable no infomration should be used

Sessions and cookies

after we verify id token user would would receive session id which should be included in subsequent request or else user would have to verify id token all over again. The id token normally have an expiry period which is usually 1 hour but if it verifys with our backend server before expiry then a session id would be genrated and can be used so far as that session is live.

Sessions and cookies are used by different website for storing user data across different pages. Both are important as they keep track of information provided by visitor for different purposes.

Main difference is sessions are saved on server side while cookies are saved on browser client side. The user is identified with the help of a session id which is a unique number saved in the server.

Cookies would be used in this project only for passing sessoin id to our backend server with each request we send

Running Tests

To run tests, run the following command

  .gradlew run test

Usage/Examples

Screenshots

Run Locally

Clone the project

  git clone https://link-to-project

Go to the project directory

  cd my-project

Install dependencies

Start the server

Used By

This project is used by me

Support

For support, email [email protected].

FAQ

CAN I USE THE APPLICATION LOCALLY AND LIVE

YES I WOULD ALSO DEPLOY ON HEROKU AND MONGODB

License

MIT

Badges

Add badges from somewhere like: shields.io

Installation

Install my-project with the apk

References

Here are some Links

JWT JWT

Ktor starter template Ktor