Huawei Account Kit Explanation and Terminology
Salute to the reader who don’t have an objection to proceed with clarifying fundamental concepts while taking his/her first steps to Huawei Mobile Service development.
This article can be seen as a preliminary preparation for my next guide that will only focus on technical details .It is about Huawei Account Kit’s features, conceptual mechanism,terms and explanations.
Let’s start with definition
Account Kit is mainly used for providing quick,simple and secure login functionalities to the 3rd party smart phone applications.
If you examine Account Kit’s Official Huawei resources on internet ,it also appears that they imply the simplicity,fastness and security. We can make use of following observation to understand where this fastness and simplicity is originated from:
You probably notice that Huawei App Gallery and Google App Store includes millions of mobile applications with different functions.You possibly know that you need to pass registration ,approval steps and you reluctantly hold separate email — password information for each application (if you are a little bit more cautious about security).This can gradually cause loss of valuable time on registration ,approval steps and proliferation of tons of email password combinations.To prevent such time and complexity issues,there is a Huawei Mobile Servis unit uses only one (unique) Huawei ID which created first time usage on mobile phone ,provides a quick experience by lowering the steps required for whole login process.In that manner,you can guarantee the simplicity and fastness if you integrate this unit known as Huawei Account Kit with your application.
- One-click login(HUAWEI ID owners sign into apps without manual login or verification)
Why developers should prefer Huawei Account Kit apart from above advantages?
- Support on many variety of device types: Device support of this kit is not limited to smartphones .It is also compatible for applications of tablets,wearables like smart watches , smart screens and head units on cars that serve a great deal of user portfolio.You can easily access applications on those devices with HUAWEI ID.
- International scope: It helps you to be the part of global mobile application network within its App Gallery Market available on 190+ countries/regions.
3. Security: Account security support is provided in compliance with global and local security standards. Account authorization can be defined as password based or device based.
Other Functionalities:
- SMS verification: Enables your app to use verification codes on SMS messages automatically without applying for the SMS read permission.
- QR Code login: Let users to login from their tablets,PCs,head units,phones and other devices using QR Code.
Lets have a look at the difference between Authentication and Authorization before details on security standards:
Authentication: Confirming to application that you are who you identify yourself as
Authorization: Making a decision about whether you have rights to access to a resource or not
- Complies with OAuth2.0(Authorization related stuff like Authorization Code,Access token that Huawei use is originated from this standard) and OpenID Connect(Authorization + Authentication) security standards.
- It covers the methods and technics that embody these standards:
— Authorization Code support
— ID Token support
— Basic User information()and email address can be obtained
— Authorization App Management
— Authorization Cancellation
Having a clear information on technical terms and explanations used in Huawei Account Kit’s application development process along with above details , it will provide us a great deal of easiness on learning exactly what the functions we have added to our application.Let’s examine next terms for this:
Authorization Code:A code containing a unique string and an app secret which is used for one-time use authorization on OAuth Server.
Application secret: The key that helps the HMS platform(Core) recognizes the application’s requests and responses and distinguishes them from other applications .
- For security , only App owner should know and must not share it iwth some one else .
- It is also known as the secret key in the public key encryption technique
- It is used to make sure that the application comes from its owner who knows the secret key (not from another hacker or source).
Access Token: Token used to access user resources at any time.
ID Token: Identity information including the signature of the previously logged-in user for verification. ID Token is in JWT (JSON Web Token) format.
JWT: JSON-based standard that ensures the security of each client request made through authorization.
iss (issuer, publisher): It is a JWT parameter containing internet address information that publishes the key information. (eg:https://accounts.huawei.com)
aud (target audience): It is a JWK parameter where our application ID is kept. (ex: 300035233)
exp (expiration time): It is the JWT parameter that specifies the expiration date of our key. (ex: 1563823909)
iat (issued at, published date): JWT parameter specifying the date when our key was first published (ex: 1563820309)
Validity period calculation:
1563823909-1563820309= 3600 sec, 3600 sec / 60 sec = 60 min
kid (keyID): It is a JWT parameter used to distinguish the created keys .
JWK (Json Web Key): It is a name given to the public key signed by the RS256 signing algorithm used to verify JSON Web Tokens provided by the authorization server (OAuth).
Refresh Token: Token used to get the new access token when the old one expires.
APK (Android Package): Package file format used by Android. It is used at the distribution of Android-based operating systems and for the installation of mobile applications and games.
HMS Core: Android package prepared by Huawei, which provides rich device and cloud computing capabilities, facilitates efficient application development, extends fast growth and monetization options. Some of the kits execute their requests over HMS Core.
Once we are familiar with these concepts, we can begin to examine the flow of two processes for the operation of the Account Kit in the last part.
Account Kit offers two method options for user login:
1. Entry with authorization code
1.1 Transmits the application user’s authorization request to the HMS Core APK.
1.2 After the authorization request is received, the authorization permission page is displayed to the user. The user approves it.
1.3 The request is then directed to the Huawei OAuth Server and the Authorization Code is returned to the Application Client.
1.4 The application client sends the returned Authorization code to the Application Server.
1.5 The Application server uses this code and application secret to obtain the Access Token and Refresh Token from the Huawei OAuth Server.
1.6 The obtained Access Token and user profile are requested from the Huawei OAuth Server to complete the user login process.
Note:
Access Token validity time: 1 hour
Renewal Token validity period: 6 months
The relevant flow diagram can be accessed from the link below:
2 . Login with ID Token
2.1 , 2.2 , 2.3 The same process progresses for the ID Token in the same way until the Authorization code is obtained. In ID token login method ,the ID token is acquired and returned to the application client from Huawei OAuth Server instead of authorization code.
2.4 The authorization message is transmitted from the Application client to the application server together with the Access Token and the basic user information.
2.5 Two different methods may be preferred for use for IDToken verification.
2.5.1 If the first local verification method is preferred, user login steps can be completed by verifying the validity of the ID Token on the application server through the signature. This authentication process is matching the kid parameter in the JWK format of the OAuth Server with the kid parameter in the header of the signature of the ID Token(in JWT format) obtained from the HMS Core APK and checking whether the iss,aud and exp parameters are correct.
2.5.2 In the second verification preference, the verification API on the HUAWEI Account Kit server is called for our own ID Token.
Warning: The second preference is for debugging-oriented usage.This verification way may slow down application usage for users of weak network connection since it requires API call from the Huawei Account Server.Application that will be presented to end-user must apply the first local verification method on IDToken flow.
Note: It is not compulsory to send user information to Huawei OAuthServer in ID Token method.
Related flow diagram can be reached from link below:
If you think IDToken flow requires less steps like 5 for login completion rather than 6 steps on Authorization Code, you should also know that since there is no way to acquire refresh token from OAuth Server in ID Token mode,when access token expires in 1 hour ,all steps will be repeated to acquire access token again.Whereas the Authorization Code mode is only one step away to gain re-access to application with Refresh token
Compared to the two methods, Huawei suggests the Authorization Code.
- One reason for this is that it provides faster and more comfortable access in Authorization Code mode in a very short step when the above Access Token loses its validity every time.
Note: If you have an application that does not have an application server, the ID Token method is preferable because it does not require any application server.
