Ever heard about Refresh Token? Refresh token can get you a new access token, without prompting the user to login again. In this post we will learn how you can use Retrofit Authenticator to Refresh Token. And refreshing token means getting a new access token with the help of refresh token.
Table of Contents
Building Backend API
Now, to follow this post you should know about Access Token and Refresh Token, and you should have an API to provide these. If you do not have the API, then first you may want to learn about the API Development.
You can follow this step by step tutorial to learn building a RESTful API with OAuth2 Authentication. I am using laravel framework here to build the API.
So I hope you already have an API to login the user (If you don’t have, you can get the source code from above tutorial). And your API is giving the following response when the user logs in.
As you can see upon successful login, the api is returning access_token and refresh_token.
What are Access and Refresh Tokens?
Now, let’s understand the tokens. When a user successfully authenticates in our backend, we provide him two tokens. Access Token, and Refresh Token.
Access Token is mandatory for every other request that requires authentication and with Access Token we identifies the authenticated user in backend. If access token is expired then we may use the refresh token to generate the access token again without prompting the user to login again.
To generate a new access token using refresh token, we have another api end point, in my case it is /refresh-token and we will pass the refresh token to this api and it will return us the new access_token.
Now let’s understand how we can use it in our Android Project.
But before moving I hope you know the basics about Retrofit and Hitting APIs from android side.
Retrofit Authenticator Refresh Token
I hope you already have Retrofit and networking setup in your project. After this the first thing that we have to do is, we need to create an interface to define our refresh-token api call.
|
1 2 3 4 5 6 7 8 9 |
interface TokenRefreshApi : BaseApi { @FormUrlEncoded @POST("auth/refresh-token") suspend fun refreshAccessToken( @Field("refresh_token") refreshToken: String? ): TokenResponse } |
This api call will give us the new access_token and refresh_token .
|
1 2 3 4 5 6 |
data class TokenResponse( val access_token: String?, val refresh_token: String? ) |
Creating an Authenticator
Now we need to build an Authenticator .
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
class TokenAuthenticator( context: Context, private val tokenApi: TokenRefreshApi ) : Authenticator, BaseRepository(tokenApi) { private val appContext = context.applicationContext private val userPreferences = UserPreferences(appContext) override fun authenticate(route: Route?, response: Response): Request? { return runBlocking { when (val tokenResponse = getUpdatedToken()) { is Resource.Success -> { userPreferences.saveAccessTokens( tokenResponse.value.access_token!!, tokenResponse.value.refresh_token!! ) response.request.newBuilder() .header("Authorization", "Bearer ${tokenResponse.value.access_token}") .build() } else -> null } } } private suspend fun getUpdatedToken(): Resource<TokenResponse> { val refreshToken = userPreferences.refreshToken.first() return safeApiCall { tokenApi.refreshAccessToken(refreshToken) } } } |
Here you can see we have a function called authenticate() , this function will be called everytime your api will return a 401 error; that means unauthenticated .
Inside this function we are calling the function getUpdatedToken() . This function will either get the new tokens successfully, or we may get an error. In case we get the token successfully, we will update the tokens in our local storage. And we will also build a new request, with the updated access_token . In case we get error, we will return null so that our api will not just keep trying to refresh the token.
Now we will use this Authenticator, to our Retrofit Client.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
class RemoteDataSource { //My Base URL companion object { private const val BASE_URL = "http://simplifiedcoding.tech/mywebapp/public/api/" } /* * This function will build the API * inside this function we are creating our TokenAuthenticator instance * */ fun <Api> buildApi( api: Class<Api>, context: Context ): Api { val authenticator = TokenAuthenticator(context, buildTokenApi()) return Retrofit.Builder() .baseUrl(BASE_URL) .client(getRetrofitClient(authenticator)) .addConverterFactory(GsonConverterFactory.create()) .build() .create(api) } /* * This function will build the TokenRefreshApi * I have a separate interface that contains only the * TokenRefresh endpoint and this function will build that api * */ private fun buildTokenApi(): TokenRefreshApi { return Retrofit.Builder() .baseUrl(BASE_URL) .client(getRetrofitClient()) .addConverterFactory(GsonConverterFactory.create()) .build() .create(TokenRefreshApi::class.java) } /* * This function will build our OkHttpClient * As we need it to intercept the request and add * required parameters * Also to add TokenAuthenticator, that will get the refresh token * we need this OkHttp Client * As you can see we are passing an Authenticator to the function * */ private fun getRetrofitClient(authenticator: Authenticator? = null): OkHttpClient { return OkHttpClient.Builder() .addInterceptor { chain -> chain.proceed(chain.request().newBuilder().also { it.addHeader("Accept", "application/json") }.build()) }.also { client -> authenticator?.let { client.authenticator(it) } if (BuildConfig.DEBUG) { val logging = HttpLoggingInterceptor() logging.setLevel(HttpLoggingInterceptor.Level.BODY) client.addInterceptor(logging) } }.build() } } |
And that’s it. Now everytime you will get a 401 error, authenticator will try to refresh the token. If refresh succeeded, your user will not be logged out, and if it failed user will be logged out.
Get Full Source Code
Do you need the complete source code of this project? Of course you can get it.
So that is all for this post friends, and if you learned something from this post, please share it with your friends. Thank You 🙂
