Logging in and Using an Access Token
When a registered user is authenticated, Kii Cloud issues an access token. An access token is issued also for a pseudo user when it is created.
An access token is always sent to Kii Cloud when an API is called while a user is logged in. As a result, Kii Cloud can identify the API caller.
Your mobile app accesses Kii Cloud via the Kii Cloud SDK. Requests are sent from the SDK to Kii Cloud according to the API specification published as REST APIs.
When a user logs in with their username and password, Kii Cloud issues an access token that allows operations permitted for the user.
The issued access token is specified in the HTTPS header of the subsequent REST API requests. This identifies the requester and allows operations permitted for the user.
The above figure illustrates a process flow where a user logs in and calls two APIs.
The user logs in with the user ID
bbbband receives the access token
9nM5Nzu-NXLlein the response. An actual token is longer than this sample token.
When a function is executed with the privilege of the user
aaaa, an API is called with the access token
The other function is executed in the same way.
The Kii Cloud SDK transparently handles an access token. The SDK identifies the logged-in user as the current user.
All the functions supported by the Kii Cloud SDK are published as REST APIs. In general, almost all of the functions are avaiable via the Kii Cloud SDK, but you can also get an access token and directly call REST APIs.
In order to keep a user logged in on a mobile app, the Kii Cloud SDK provides the following two methods to save an access token.
The login state can be restored by reusing an access token that was obtained from the Kii Cloud SDK at the previous login.
User information including an access token is automatically saved to the shared preferences or the keychain when the Kii Cloud SDK executes a function such as login. The login state can be restored when a mobile app is restarted by using the saved user information.
In connection with the login processing, the following security features are available.
- The expiration time of an access token can be configured with an API or in the developer portal. The administrator can also forcibly disable an access token by disabling a user in the developer portal.
- The user can update and reset their password with an API. The administrator can reset the user's password in the developer portal.
- Kii Cloud supports the refresh token of OAuth 2.0. An access token can be regularly refreshed.