Use account manager to implement JWT authentication in Android

I am implementing an Android application that must include user login. To do this, I have created my own authenticator to log in only once. Then the AccountManager can request access tokens, so the application will not process passwords directly. The AccountManager stores user accounts and tokens

I am using JWT (JSON web token) to authenticate users in my rest API

I want to know if this process is correct, or there is a better way to do this in Android

This is my current process:

>The user enters the user and password in the login screen for the first time. > I send a request to the server to retrieve a valid token (JWT) stored in the account manager. > subsequent requests use the received access token until it expires (1 hour) to retrieve content from the API. > after the token expires, it can be refreshed within two weeks after the release time. From this moment, user credentials are required to retrieve a new token

Is this the correct way to use and refresh tokens? Is the process safe? Are there any other options?

Considering that this process does not use "refresh token" to generate a new but access token, what is the best use of Android account manager? What other tools should I use? In order to implement "refresh token", is it recommended to implement oauth2 along JWT?

Cheers!

resolvent:

I can say that you are on the right path to using JSON web token and reproducing it

However, the security you mentioned is about encrypting the token you retrieved, then saving it in the account manager (also the same as the user credentials), using some encryption methods you choose (such as AES or RSA), and then decrypting it when you want to use it. Using the key and secret algorithm generated by the server will also kill any hacker

As you know, everyone with root access can get the saved credential database and use it

Using these techniques will reduce the need to use OAuth 2.0 involving refresh tokens

I hope I can help you