CYM-Identity tries to follow oAuth and OpenID Connect specifications and therefore is unopinionated when it comes to libraries.
In order to get you started with your Android app, we recommend that you use
AppAuth-AndroidIf you haven't done it yet, you need to create an Application following the
documentationWe strongly recommend that you only use the authorization_code
grant.
By design, an Android app will consume APIs hosted by a Resource Server.
Follow the instructions in the
documentation to create your Resource Server and Protected Resources.
We believe that the documentation provided by the
AppAuth-Android team is quite clear on setting up your environment. Once you have completed the initial setup you can continue the following sections.
We recommend that you use the OpenID discovery service instead of a hard coded configuration
1AuthorizationServiceConfiguration.fetchFromIssuer(
2 Uri.parse("https://${realm.url}/oauth/${realm.name}"),
3 new AuthorizationServiceConfiguration.RetrieveConfigurationCallback() {
4 public void onFetchConfigurationCompleted(
5 @Nullable AuthorizationServiceConfiguration serviceConfiguration,
6 @Nullable AuthorizationException ex) {
7 if (ex != null) {
8 Log.e(TAG, "failed to fetch configuration");
9 return;
10 }
11
12
13 }
14 });
Now that everything is set up, you can start authenticating your users.
When your users are ready to authenticate, you can trigger an authentication request.
Each logged in user (employee, customer, partner, ...) needs to hold a CYM-Identity License. Add it as part of mass assignment or through your registration flow.
During the authorization_code exchange, you can specify the audience
or the resource
your application need to access
1authService.performTokenRequest(
2 authorizationResponse.createTokenExchangeRequest(
3 new HashMap<String, String>() {{
4 put("audience", "RESOURCE_SERVER_CLIENT_ID");
5 }}
6 ),
7 new AuthorizationService.TokenResponseCallback() {
8 @Override public void onTokenRequestCompleted(
9 TokenResponse resp, AuthorizationException ex) {
10 authState.update(resp, ex);
11 if (resp != null) {
12
13 } else {
14
15 }
16 }
17 });
You can now use the access_token to consume APIs.
1authState.performActionWithFreshTokens(authService, new AuthStateAction() {
2 @Override public void execute(
3 String accessToken,
4 String idToken,
5 AuthorizationException ex) {
6 if (ex != null) {
7
8 return;
9 }
10
11
12 }
13});
The access_tokens generated initially have a short lifetime, and you'll need new ones to keep accessing APIs on behalf of the user. Once an access_token
has expired, you'll get a 401
response from an API.
1performTokenRequest(
2 authState.createTokenRefreshRequest(
3 new HashMap<String, String>() {{
4 put("audience", "RESOURCE_SERVER_CLIENT_ID");
5 }}
6 ),
7 this::handleAccessTokenResponse);
When you made the previous request, you chose a specific ResourceServer to which you needed access. If you need an access_token scoped to a different Resource Or ResourceServer, you can request for it
1performTokenRequest(
2 authState.createTokenRefreshRequest(
3 new HashMap<String, String>() {{
4 put("audience", "DIFFERENT_RESOURCE_SERVER_CLIENT_ID");
5 }}
6 ),
7 this::handleAccessTokenResponse);
1performTokenRequest(
2 authState.createTokenRefreshRequest(
3 new HashMap<String, String>() {{
4 put("resource", "https://resource.url");
5 }}
6 ),
7 this::handleAccessTokenResponse);
When your users are ready to logout, you can request a logout as follows.
1EndSessionRequest endSessionRequest = new EndSessionRequest.Builder(
2 authorizationServiceConfiguration,
3 idToken,
4 endSessionRedirectUri
5).build();
6AuthorizationService authService = new AuthorizationService(this);
7Intent endSessionItent = authService.getEndSessionRequestIntent(endSessionRequest);
8startActivityForResult(endSessionItent, RC_END_SESSION);