Hello, I have a server in php. I access the page from my android application and get data in json format. This json can fall into the hands of any person, for example, if you find out the address to which the get-request is sent.

I was advised to make an authorization in the application with the issuance of a token.

I can not find information on this topic. Where to begin?

Throw off a couple of articles please, thanks.

  • Android has nothing to do with it at all. - Vladyslav Matviienko
  • @metalurgus agree - Martinez Toni
  • How do you define users within the application who can download data? - Sergiks
  • @Sergiks in the application everything is fine, the point is that they could not get this json in a clean saw (which the server gives out) - Martinez Toni
  • Users log in somehow, or all who downloaded it in the same state? - Sergiks

1 answer 1

It's not difficult.

1) Each application has a guid.

2) You do authorization in your application (for example, by email + password) and record authorization for this application (guid) in the database, generating a random token (any key, usually a string), for example md5 from email + time ().

3) Addressing the closed parts of your api, you transfer the guid + token, and your application checks if the token for this guid exists (and is not closed, because you can set its lifetime, or close the user from the application from the logout), then issue a response, and if closed, send for authorization.

This is a very general mechanism, just to explain the scheme of work. In fact, someone complicates, someone changes something, someone leaves as is. For example, instead of writing your authorization, you can perepilit oauth. Although, its write is not particularly difficult;)