AgentSkillsCN

Android Auth Identity

Android 身份认证

SKILL.md

name: android-auth-identity description: Authentication & identity — Credential Manager, biometrics, token management, session security. user-invocable: true

Android Authentication & Identity

Cross-cutting skill — always activates alongside the project-type-specific skill.

Hard Rules

  • Use Credential Manager API for sign-in flows — replaces legacy Smart Lock and FIDO2 APIs.
  • Store tokens in EncryptedSharedPreferences or Android Keystore — never in plain SharedPreferences.
  • Implement token refresh transparently — user should not see expired-token errors.
  • Use BiometricPrompt from androidx.biometric — not deprecated FingerprintManager.
  • Require BIOMETRIC_STRONG for sensitive operations (payments, account changes).
  • Never store raw passwords on device — use credential management APIs.
  • Validate all tokens server-side — client-side validation alone is insufficient.
  • Handle account linking carefully — merge conflicts can lose user data.
  • Clear all credentials on logout — tokens, cookies, cached user data.
  • Support passkeys (WebAuthn) as the primary passwordless credential.

Core Patterns

  • Single AuthRepository abstraction over Credential Manager + token storage.
  • Refresh tokens in OkHttp Authenticator — seamless for all API calls.
  • Biometric-bound keys for sensitive operations (CryptoObject in BiometricPrompt).
  • Use ID tokens (JWT) for user identity, access tokens for API authorization.
  • Implement session timeout — re-authenticate after inactivity period.
  • Wrap auth state in StateFlow for reactive UI updates.

References

  • references/credential_manager.md
  • references/biometric_auth.md
  • references/token_management.md
  • references/google_sign_in.md
  • references/session_security.md
  • references/digital_credentials.md