Bob Winter wrote:The OAuth authorization flow works like this
In the second step to get the access and refresh token you build the token URL with the previous authorization token and your client-secret.
But: How does a customer not knowing your client-secret does this?
The redirect has the unique authorization token. So, the service server sends this secured to the client
It's possible to store them on your server and to have all data flown through your server, but this only makes sense within a company network where all data are have to go through the master proxy.
When the client gets the error about the access token timeout it requests a new access token via sending a request along with the refresh token to my server to handle it. This works, but it would take a lot of effort to re-write googles oauth lib to instead of trying a refresh itself without the client-secret to relay it via your server.
I don't know why there're no libraries out there to handle this or so few information, as OAuth is widely used. From the point I just said to myself "screw this"
Mike Gosling wrote:And is it true that if OAuth is implemented during login, that my app will be considered "secure enough" so the User doesn't have to click that "Enable" button?
However, on an Android app, you probably shouldn't be sending email directly, but rather contacting the email/gmail intent. Which already has the requisite settings and credentials.
Bob Winter wrote:From as far as I know and understand ...
Tim Holloway wrote:However, on an Android app, you probably shouldn't be sending email directly, but rather contacting the email/gmail intent.
Stephan van Hulst wrote:Yes, using OAuth should allow access to your mail server without having to "Allow less secure app access".
Tim Moores wrote:If for some reason no user interaction is desired, have the app contact a REST service on your server with the relevant details, and then the server can send out mails.
I managed to send an email for someone who is using gmail, but what if a User have Account for lets say yahoo or hotmail or university mail. How to set (programmatically) mail server configuration parameters for each of this mail service, how do they differ?
Mik Gosling wrote:I managed to send an email for someone who is using gmail, but what if a User have Account for lets say yahoo or hotmail or university mail. How to set (programmatically) mail server configuration parameters for each of this mail service, how do they differ?
As I said that I'm new to building back-end web apps, can you maybe recommend some resource (tutorial, blog etc) on how to actually implement OAuth? By your comments, you seem to have an in-depth knowledge
How to set (programmatically) mail server configuration parameters for each of this mail service, how do they differ?
Stephan van Hulst wrote:You can probably get the access token from Spring Security some way after the user has logged in.
Tim Holloway wrote:OAUTH is designed to provide "Single Sign-On" across sites. But you have to prime the pump by signing on to an OAUTH participant.
But a larger question needs addressing. This is supposed to be Spring Boot and Android??? Android's Dalvik is not the same thing as a JVM. Spring Boot doesn't run on Android.
Tim Holloway wrote:You basically just have to set all of the properties with values appropriate to the mailserver that you will be sending through. Same as with gmail, but each of those services has their own host address, port, security prototocols and connection credentials.
Stephan van Hulst wrote:Mike is supposed to use Retrofit2 to send REST requests from Android to the Spring service, and the Spring service uses OAuth to access Gmail.
Stephan van Hulst wrote:Sorry, I missed your reply. Did you manage to make progress in the meantime?
Gravity is a harsh mistress. But this tiny ad is pretty easy to deal with:
free, earth-friendly heat - a kickstarter for putting coin in your pocket while saving the earthhttps://coderanch.com/t/751654/free-earth-friendly-heat-kickstarter