Store OAuth2 token securely in KeyStore and link to account in AccountManager

1.4k views Asked by At

My web API requires an authentication token to access protected resources. I can request and receive these, and consume the api. Now I want to store this token for later usage.

I am aware that it is hard or even impossible to securely store confidential data, but this article suggest to use the KeyStore to store tokens, which might be the best way to go. I read somewhere that the stock email app also uses this approach, but unfortunately I cannot remember the source.

I would like to use the KeyStore in combination with the AccountManager, so the user can view and manage all registered accounts (tokens) on their device.

Is this possible? If so, how can I achieve this? I can't seem to find a way to 'attach' a reference to a keystore entry to an account.

Any suggestions or alternatives are welcome as well! Thanks in advance!

1

There are 1 answers

0
felislynx.silae On BEST ANSWER

So, if you encrypt/decrypt something into/from keystore you are using an alias. For example, your account name. Or you can store aliases in AccountManager. You can decide if it is better to use account name as alias in keystore (remember that you should provide ability to create an account from settings). Or you want to randomly generate aliases and store them in AccountManager as additional data (UserData). Keystore part is very nicely documented, the account manager is not. I remember that research on that took me some time and implementation slightly differs based on application type.