Token authentication with Volley

  1. You might want to use the AccountManager API in Android for authentication and authorization. You may follow the blog here.
  2. For OAuth 2.0 server side implementation you may read the IETF draft V2-31 here.
  3. For better understanding of OAuth 2.0 you may read the blog by Nitesh Kumar here.
  4. For Server side implementation of OAuth 2.0 you can fork Apis Autherization Server repo at Github.
  5. More implementation option can be found at the website of OAuth 2.0 here.

I used volley for an authentication system using longlive (LLT) and shortlive (SLT) tokens.

I did it manually but it really wasn't much work once you get it all laid out.

Have all secure requests subclass a baseSecureRequest that can handle this token mechanism common to all secure request in its onResponse() and onErrorResponse().

It becomes a little node.js style, where requests send other requests and await callbacks.


An app may have a dozen screens, with only half requiring auth access - so each screen should be ignorant as to the requirements of its request.

Scenario A

  • We attempt to send a secure request. We notice we don't have a SLT in memory, so make a TokenRequest.
  • TokenRequest's onResponse() saves that token to memory (let a singleton session manager hold onto it or similar omni-present class)
  • Now callback to the original concrete-class request object to continue with the newly updated token.

Scenario B

  • We send a secure request but our SLT is stale (expired)

  • The server returns an error code or msg that you can catch in the general onErrorResponse() of your baseSecureRequest.

  • In this onError(), you send a refreshTokenRequest() object that attempts to refresh the SLT in memory by requesting a new SLT from the server using the LLT.

  • the onResponse() of the refreshTokenRequest can now callback to the original request to resend.

  • however the onErrorResponse() should probably abandon the entire thing because chances are anything that isn't a connectivity error - is an error caused by invalid LLT. If you keep trying to refresh with a bad LLT you will never get out.