Retrofit authentication

Authentication and OAuth in Retrofit

For a more complete and in-depth explanation, check out our complete Retrofit course

Download the starter project here

Github repository

OAuth is short for Open Authentication,  is a way of authenticating your application and your user with a certain API. That API can be Facebook, GitHub, twitter, any system that provides this authentication functionality.

Authentication process

Here is a structure that I put together to show how the OAuth process works and what the flow is.


There is an application that we’re building, an user and an API which is going to provide the authentication functionality.

  1. The user triggers the authentication process.
  2. The application redirects the user to the authentication endpoint
    this might mean the Facebook app is opened on the phone, or the user is redirected to a URL for the API to authenticate. It’s outside of the context of your application, it goes to the URL of the API that
  3. The user authenticates with username and password to the API
    Instead of username and password it can be any authentication mechanism that the API provides.
  4. The API grants permission to the app
    Once the user is authenticated, the API grants the app the permission that the user approved.
    This can be done in multiple ways, for instance there is a URL that is called in order to let the app know that it has been authenticated and permission granted. It can include things like which permission has been granted if there are multiple options, it can provide with an authentication code that can be used later on in the process, or whatever the structure of the process is on the API backend
  5. The app will call the API to request an access token
    This will let the API know that at some particular point in time you want to access some functionality on behalf of this user. You might require here to provide some code that was given previously, depending on how the API itself works.
  6. Finally you can use the token provided for whatever requests are necessary and allowed.

This is the general structure. The user does not authenticate in the app itself, rather they are sent to a third party service that authenticates them and then that service will call your app.


You might think that this process adds a bit of complexity, both to the app and the backend API.

Let’s think about why this might be useful.

The main thing is that it’s safer for the user. The user doesn’t have to give passwords to many third party applications, all they need to do is authenticate with one service, for instance Facebook, and they have more confidence in that one service and it’s safer for them. So that means there is more confidence in your application because now the user doesn’t have to provide  you with a username and password so they know that they are safe as long as the third party application is safe.

The user can remove your access at any time. So they can go into the backend of Facebook  and remove your application from there, so that increases the user’s confidence towards your app. Because the more control the have, the more confidence the have.

The API can remove app access at any time.

It is very useful for the API to be able to remove certain apps that are not respectful of their rules.

Of course for the app developer, OAuth increases the confidence that a user has in the app.

We won’t implement this functionality in code in this tutorial as this requires a lot of work and a real world app behind it.

If you want to see these concepts put in practice, check out the complete course, where we go step by step and implement OAuth with GitHub in a realistic application that we build from scratch.

Complete Retrofit for Android development course

For a more complete and in-depth explanation, check out our complete Retrofit course

Close Bitnami banner