Android OAuth Client Library (android-oauth-client)

Feature Image


The android-oauth-client library helps you to easily add an OAuth flow to your existing Android application. It automatically shows a customizable Android dialog with WebView to guide the user to eventually grant you an access token.

To help you manage access tokens, the library also includes an out-of-the-box credential store which stores tokens in SharedPreferences.

This client library is an Android extension to the Google OAuth Client Library for Java.


Note on OAuth flows: In general you should prefer OAuth 2.0 Implicit Authorization over OAuth 2.0 Explicit Authorization because implicit authorization does not require the client secret to be stored in the client.


Regardless of which OAuth flow you intend to incorporate into your Android application, the android-oauth-client library can be used in 2 simple steps:

  1. Obtain an instance of OAuthManager by supplying the following 2 parameters:
    • An AuthorizationFlow instance which automatically handles the OAuth flow logic,
    • An AuthorizationUIController which manages the UI.
  2. Call one of the 3 possible authorize methods on OAuthManager. The call may be called from any thread either synchronously or asynchronously with an OAuthCallback<Credential>.
    • OAuthManager.authorize10a()
    • OAuthManager.authorizeExplicitly()
    • OAuthManager.authorizeImplicitly()

We will go into more detail about each of the steps.

Obtaining an OAuthManager instance

OAuthManager can be obtained by direct instantiation:

OAuthManager oauth = new OAuthManager(flow, controller);

Obtaining an access token via the OAuthManager

To start the OAuth flow and obtain an access token, call one of the authorize() methods according to the authorization flow of your choice.

You may invoke the authorize() method synchronously:

Credential credential = oauth.authorizeImplicitly("userId", null, null).getResult();
// continue to make API queries with credential.getAccessToken()

You may also invoke the authorize() method asynchronously with an OAuthCallback, executed on a android.os.Handler of your choice.

OAuthCallback<Credential> callback = new OAuthCallback<Credential>() {
    @Override public void run(OAuthFuture<Credential> future) {
        Credential credential = future.getResult();
        // make API queries with credential.getAccessToken()
oauth.authorizeImplicitly("userId", callback, handler);

Note that if a Handler is not supplied, the callback will be invoked on the main thread.


Use the provided SharedPreferencesCredentialStore, which automatically serializes access tokens to and from SharedPreferences in JSON format.

SharedPreferencesCredentialStore credentialStore =
    new SharedPreferencesCredentialStore(context,
        "preferenceFileName", new JacksonFactory());


An AuthorizationFlow instance may be obtained via its Builder:

AuthorizationFlow.Builder builder = new AuthorizationFlow.Builder(
    new JacksonFactory(),
    new GenericUrl(""),
    new ClientParametersAuthentication("CLIENT_ID", "CLIENT_SECRET"),
AuthorizationFlow flow =;

For OAuth 2.0 flows, you may wish to add OAuth scopes:

builder.setScopes(Arrays.asList("scope1", "scope2"));

For the OAuth 1.0a flow, you need to set the temporary token request URL:


Note that CLIENT_SECRET may be omitted and be replaced with a null value for the OAuth 2.0 Implicit Authorization flow.

Also, CLIENT_ID and CLIENT_SECRET are called CONSUMER_KEY and CONSUMER_SECRET in the OAuth 1.0a flow.


Use the provided DialogFragmentController, which automatically handles most of the UI for you via an Android dialog. The DialogFragmentController has two constructors, one taking and the other taking as the sole input parameter. Depending on how you instantiate the controller, either or will be used.

AuthorizationUIController controller =
    new DialogFragmentController(getFragmentManager()) {

        public String getRedirectUri() throws IOException {
            return "http://localhost/Callback";

        public boolean isJavascriptEnabledForWebView() {
            return true;



On Android it is typical to use Proguard to obfuscate and shrink code in order to reduce application size and improve security. If you are using Proguard, make sure you include the following configurations:

# Needed to keep generic types and @Key annotations accessed via reflection
-keepattributes Signature,RuntimeVisibleAnnotations,AnnotationDefault

-keepclasseswithmembers class * { <fields>;

-keepclasseswithmembers class * { <fields>;

-keepnames class

# Needed by google-http-client-android when linking against an older platform version

# Needed by google-api-client-android when linking against an older platform version

# Do not obfuscate but allow shrinking of android-oauth-client
-keepnames class** { *; }


A sample application is provided to showcase how you might use the library in a real-life Android application. In addition to default usage, the sample application also has examples for customizing the Dialog UI as well as OAuth integrations for popular social network services such as Flickr, LinkedIn, Twitter, etc.


Android OAuth Client is available for download from the Maven Central repository. You may also include it as a dependency by including the following coordinates:


or using Gradle

dependencies {
   compile 'com.wu-man:android-oauth-client:0.4.5'

As of v0.0.3, an Android library AAR format is available as well. The artifact coordinates are:



You should use the included Gradle wrapper to build the project with the following command:

./gradlew clean build

The resulting jar file is located at library/build/libs/library.jar and the aar file is located at library/build/libs/library.aar.


If you would like to contribute code to android-oauth-client you can do so through GitHub by forking the repository and sending a pull request.

In general if you are contributing we ask you to follow the AOSP coding style guidelines. If you are using an IDE such as Eclipse, it is easiest to use the AOSP style formatters.

You may file an issue if you find bugs or would like to add a new feature.

We do not have a mailing list. All questions should be asked and will be answered on StackOverflow using the android-oauth-client tag.



Copyright 2013 David Wu
Copyright (C) 2010 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

Bitdeli Badge