FusionAuth’s new beta SDK streamlines mobile development for iOS and Android, offering powerful backend capabilities and seamless integration with your preferred frameworks.
Recently, the team released a software development kit (SDK) Beta for Android which eliminates boilerplate code, leading to cleaner and more efficient applications.
The Android SDK
The FusionAuth Android SDK aims to provide a simple and trustworthy interface to authenticate mobile users with FusionAuth.
This SDK allows you to use OAuth 2.0 and OpenId Connect functionality in an Android app with FusionAuth as the authorization server. It also provides a Token Manager to store, refresh, and retrieve tokens.
It's a highly standardized and simplified starting point for developers to easily integrate FusionAuth into their own custom mobile apps by taking care of all the dependencies.
The following OAuth 2.0 and OpenID Connect functionality are covered:
- OAuth 2.0 Authorization Code Grant
- OAuth 2.0 Refresh Token Grant
- OpenID Connect UserInfo
- OpenID Connect End Session
AppAuth-Android is used for the OAuth 2.0 Authorization Code Grant flow and OpenID Connect functionality.
The SDK is written in Kotlin and is compatible with Java.
Difference to AppAuth
For OAuth 2.0 authentication, the Authentication Manager uses AppAuth to handle the authentication flow. AppAuth is an open-source library that provides a simple interface for authenticating users with OAuth 2.0. It’s available for Android and iOS.
Using AppAuth directly might seem a good idea because it grants more control over the implementation, but there are compelling reasons to use the FusionAuth Android SDK instead.
-
Simplified Authentication Flow: The SDK simplifies the process of authenticating users with FusionAuth by providing a simple interface.
-
Standardized Usage: The SDK introduces standardized usage with the introduction of the Authorization Manager.
-
Security: The SDK handles best practice defaults in the Authorization Configuration.
-
Time-Saving: The SDK handles all dependencies and best practice defaults for you.
-
Maintainability: The SDK gives us the flexibility to add additional functionality without having to feature creep the AppAuth library, or implement features early until they get added to AppAuth.
Getting Started
To simplify the experience, our primary goal was to introduce a minimum effort from the start. With a single import and a simple as possible configuration, which handles all dependencies and best practice defaults for you through the Authorization Configuration.
To use the FusionAuth Android SDK, add the following dependency to your build.gradle file:
dependencies {
implementation('io.fusionauth:fusionauth-android-sdk:<latest-version>')
}
After adding the dependency, you will need to initialize the AuthorizationManager with
the AuthorizationConfiguration:
AuthorizationManager.initialize(
AuthorizationConfiguration(
fusionAuthUrl = "http://10.0.2.2:9011",
clientId = "e9fdb985-9173-4e01-9d73-ac2d60d1dc8e",
allowUnsecureConnection = true
)
)
This will initialize the AuthorizationManager with the provided AuthorizationConfiguration.
The AuthorizationManager is a singleton and can be accessed from anywhere in your app.
The example configuration uses the IP address for your local machine, which is the default for the Android Emulator. If
you are running the FusionAuth server on a different machine, you will need to replace the fusionAuthUrl with the
correct URL.
Instead of specifying the AuthorizationConfiguration in code, you could also read it from a resource file:
AuthorizationManager.initialize(
AuthorizationConfiguration.fromResources(this, R.raw.fusionauth_config)
)
The fusionauth_config.json file should be placed in the res/raw directory and should look like this:
{
"fusionAuthUrl": "http://10.0.2.2:9011",
"clientId": "e9fdb985-9173-4e01-9d73-ac2d60d1dc8e",
"allowUnsecureConnection": true
}
By default, the SDK uses the MemoryStorage for storing tokens. This means that tokens will be lost when the app is
closed.
To persist tokens, you can use the SharedPreferencesStorage or implement your own TokenStorage.
Usage
Our secondary goal with the SDK was the standardization of the usage with, for example, the introduction of the Authorization Manager.
To start the OAuth 2.0 Authorization Code Grant, you can use the oAuth() function on the AuthorizationManager to
retrieve the OAuthAuthorizationService:
AuthorizationManager
.oAuth(this@LoginActivity)
.authorize(
Intent(this@LoginActivity, TokenActivity::class.java),
OAuthAuthorizeOptions(
cancelIntent = Intent(this@LoginActivity, LoginActivity::class.java)
.setFlags(Intent.FLAG_ACTIVITY_CLEAR_TOP),
state = "state-${System.currentTimeMillis()}"
)
)
The authorize function will start the OAuth 2.0 Authorization Code Grant flow and open the provided Intent when the
flow is completed.
The OAuthAuthorizeOptions allows you to specify additional options for the flow, such as the cancelIntent and
the state.
If the user completes the flow, the TokenActivity will be opened, and you are required to handle the redirect:
AuthorizationManager.oAuth(this@TokenActivity)
.handleRedirect(intent)
This will retrieve the authorization response, validates the state if it was provided, and exchanges the authorization
code for an access token.
The result of the exchange will be stored in the TokenManager.
After the user is authorized, you can use getUserInfo() to retrieve the User Info:
AuthorizationManager.oAuth(this@TokenActivity).getUserInfo()
To call your API with an access token, you can use the AuthorizationManager to retrieve a valid access token:
val accessToken = AuthorizationManager.freshAccessToken(this@TokenActivity)
This will retrieve a fresh access token from the TokenManager and return it. If the access token is expired,
the TokenManager will refresh it automatically.
Finally, you can use the AuthorizationManager to sign out the user and remove the tokens from the TokenManager:
AuthorizationManager
.oAuth(this@TokenActivity)
.logout(
Intent(this@TokenActivity, LoginActivity::class.java)
.setFlags(Intent.FLAG_ACTIVITY_CLEAR_TOP)
)
If the user is signed out, the LoginActivity will be opened.
Security
With the simplified start in the Authorization Configuration and standardized usage in the Authorization Manager we now took care of best practice defaults. as well as handling token storage, refresh, and retrieval in the Token Manager.
What we didn’t want to change is the AppAuth authentication flow through a browser redirect. When using a browser redirect to the SSO URL, the only application that sees or holds sensitive user credentials is FusionAuth. Your application code never has access to these, which decreases the attack surface area.
In addition, FusionAuth has built-in security features such as:
- the ability to lock user accounts
- password rules
- webhook notifications when a user has failed to login
- breached password notification (with a paid license)
- rate limiting of sensitive security-related actions (with an Enterprise license)
- and more
FusionAuth takes security seriously; it’s our full-time job. By redirecting to FusionAuth, you don’t have to worry about any other part of your application getting access to sensitive information or credentials.
Look and Feel
Do you typically want your login pages to look like your Mobile App? Doesn’t a browser redirect make that difficult?
No, FusionAuth allows complete control over the look and feel of the hosted login pages. Learn more about this functionality, which we call themes, including an example using Tailwind CSS.
Being able to make the look and feel the same as your mobile app if your users use the same SSO page design for other use cases, e.g., your online store or portal. It will create more trust because the experience (including design, SSO URL, and authentication process) will be the same on mobile as anywhere else.
Example
We’ve built an App for ChangeBank, a global leader in converting dollars into coins.
See the FusionAuth Android SDK Example for a functional example of an Android client that uses the SDK.
See the FusionAuth Android Quickstart for a full tutorial on using FusionAuth and Android.
In Conclusion
With the introduction of the FusionAuth Android SDK Beta, we’re eager to finalize the development into a final release and are looking forward to doing this with your feedback.
Especially as the SDK is set to standardize and secure your authorization processes in your mobile application development. We’re interested to see if it helps your development, whether you’re getting started or looking for a way to standardize and secure your authorization processes in your Android App.
More details on the SDK and collaboration
We created detailed documentation of the SDK and made it available in the GitHub repository of the SDK.
See the latest Full library documentation for the complete documentation of the SDK.
In there, you will find as well how you can contribute further in the development of the FusionAuth Android SDK.
