0

This piece of code is from AuthenticatorActivity in Android SampleSyncAdapter Sample project. It says,

We store the authToken that's returned from the server as the 'password' for this account - so we're never storing the user's actual password locally.

But I don't see authToken being used at all. Why? Is this a mistake or intentional?

/**
 * Called when response is received from the server for authentication
 * request. See onAuthenticationResult(). Sets the
 * AccountAuthenticatorResult which is sent back to the caller. We store the
 * authToken that's returned from the server as the 'password' for this
 * account - so we're never storing the user's actual password locally.
 *
 * @param result the confirmCredentials result.
 */
private void finishLogin(String authToken) {

    Log.i(TAG, "finishLogin()");
    final Account account = new Account(mUsername, Constants.ACCOUNT_TYPE);
    if (mRequestNewAccount) {
        mAccountManager.addAccountExplicitly(account, mPassword, null);
        // Set contacts sync for this account.
        ContentResolver.setSyncAutomatically(account, ContactsContract.AUTHORITY, true);
    } else {
        mAccountManager.setPassword(account, mPassword);
    }
    final Intent intent = new Intent();
    intent.putExtra(AccountManager.KEY_ACCOUNT_NAME, mUsername);
    intent.putExtra(AccountManager.KEY_ACCOUNT_TYPE, Constants.ACCOUNT_TYPE);
    setAccountAuthenticatorResult(intent.getExtras());
    setResult(RESULT_OK, intent);
    finish();
}
Binoy Babu
  • 16,699
  • 17
  • 91
  • 134
  • Maybe they forgot to update the comment? What is your actual problem? – Nikolay Elenkov Dec 03 '12 at 01:57
  • @NikolayElenkov I'm just wondering why `authToken` is not used at all. Maybe I should have asked in codereview. – Binoy Babu Dec 03 '12 at 02:27
  • You could probably file a bug on http://b.android.com. Looking at the server code, it looks like it cannot handle a token instead of password, so the comments seems wrong. In any case, if you can authenticate successfully with the server, you can add a local account using the method shown, so the code itself is correct. – Nikolay Elenkov Dec 03 '12 at 03:52
  • I suspect they intended the code to be `mAccountManager.addAccountExplicitly(account, authToken, null);` but forgot to update the code according to the comment. – Binoy Babu Dec 03 '12 at 03:55
  • As I said above, that wouldn't work because the server will return an authentication error if you sent the token as a password. – Nikolay Elenkov Dec 03 '12 at 03:57
  • So what if we just don't want to save password locally, and want to save auth token in the account? – Binoy Babu Dec 03 '12 at 04:01
  • Your server needs to now how to handle this. That's how Google accounts work on newer devices -- your Google password is not saved on the device. (older Android versions save it encrypted form) – Nikolay Elenkov Dec 03 '12 at 04:05
  • So it's okay to use `mAccountManager.addAccountExplicitly(account, authToken, null);` as long as the server can handle it? – Binoy Babu Dec 03 '12 at 04:07
  • Right. It all depends on your authentication protocol design. – Nikolay Elenkov Dec 03 '12 at 04:12

1 Answers1

2

Agreed, this is confusing, especially since SampleSyncAdapter represents some of the only documentation around these classes. That said, I think the comment is the mistake here, since both the AbstractAccountAuthenticator and the service rely on the password. I have filed a bug for clarification:

http://code.google.com/p/android/issues/detail?id=40878&thanks=40878&ts=1354582803

Midnight Vacation
  • 36
  • 2