Im implements an Android application and must contain the user login. To do this, I create my own authenticator with the goal of logging in only once. Then the AccountManager can request access tokens, so the application does not process passwords directly. AccountManager stores the user account and token.
Im using JWT (Json Web Token) to authenticate the user in my REST API.
I wonder if this thread is correct or if there is a better approach to this in Android.
Here is the thread I'm currently using:
The user first enters the user and passwords on the login screen.
I make a request to the server to get a valid token (JWT), which is stored in the account manager.
Subsequent requests use the received access token until it expires (1 hour) in order to receive content from the API.
After the token has expired, it can be updated up to two weeks after the release. From now on, user credentials are required to retrieve a new token.
Does this process work correctly with the token and update it? Is this process safe? Are there any other options?
Given that this thread does not use the “update token” to generate a new but access token, what would be the best use of the Android Account Manager? What other tools should I use? Is it recommended to implement an Oauth2 implementation along the JWT to implement an “update token”?
Hooray!