Join Beta Sign in to Console

Android App โ€” Attestation Server Flow

Introduction

This diagram shows the successful authorization flow for a native Android app through an Attestation Server using the Authorization Code Grant defined in OAuth 2.0.

In this flow, the Android App never directly stores or uses the Access Token. The Attestation Server acts as a trusted intermediary responsible for:

  • Device trust evaluation
  • Secure token handling
  • API communication
  • Session management

Flow Summary

Grant TypeAuthorization Code
User AuthenticationRequired
Browser RedirectsYes
Refresh TokensOptional

Typical Use Cases

  • Native applications requiring User authentication
  • Applications requiring device trust evaluation for sensitive operations

You can find the Quick Start guide for Android App โ€” Attestation Server in the Mekarge A3 documentation.

Flow

Explanations

  1. The User opens the Android App.
  2. The Android App detects that the device is not registered and initiates registration towards Attestation Server.
    3. ๐Ÿ’ก Hints

    At this point, the flow diagram does not include additional signalling between App and other parties such as Google APIs to collect evidences regarding the authenticity of the application and/or device.

    In the Quick Start guide for "Android App โ€” Attestation Server", additional signalling is implemented at this point.

  3. The Attestation Server returns a login URL.
  4. Andoid App launches the system browser using an Android Intent.
  5. The browser navigates to the login URL.
  6. The Attestation Server responds with HTTP 302 to start the authorization flow.
  7. The browser is redirected to the Authorization Endpoint in Mekarge A3.
  8. Mekarge A3 returns an authentication page containing a login form.
  9. The browser submits the authentication form to Mekarge A3.
  10. Mekarge A3 validates the User credentials and responds with HTTP 302.
  11. The browser is redirected to the Redirect URI in Attestation Server with the Authorization Code.
  12. The Attestation Server calls Token Endpoint in Mekarge A3 with the Authorization Code.
  13. Mekarge A3 validates the Authorization Code and returns an Access Token.
  14. Attestation Server redirects browser back to Android App via deep link (response to request in step 11).
  15. Browser redirects back to Android App using the deep link.
  16. Android App calls Attestation Server to start a new session.
  17. Attestation Server returns a session identifier bound to Access Token.
  18. Android App calls Attestation Server to fetch a protected resource.
  19. The Attestation Server calls the API Resource using the Access Token.
  20. The Resource Server validates the Access Token and returns the API response.
  21. The Attestation Server returns the protected resource.

Notes

Security

  • Collect all possible evidences regarding device and App during Device Registration phase.
  • Verify evidences in Attestation Server using services such as Google Play Integrity APIs.
  • Mekarge A3 allows only HTTPS for Redirect URIs.
  • Use HTTPS for all API endpoints.
  • Store Access Tokens and Refresh Tokens securely on the Attestation Server side.
  • Enable PKCE to follow OAuth 2.1 security best practices. (See OAuth 2.1 ยง7.8).

Token Usage

  • The Access Token is used by the Attestation Server when calling protected APIs on behalf of the Android App.
  • Refresh Tokens can be used to obtain new Access Tokens without requiring the user to log in again.
  • ID Tokens may contain identity information about the authenticated user.