Geek Answers Handbook

Google Account Authorization for Android Application

I am writing an Android application that speaks on a remote server, and I want to allow application users to register on the server using the google credentials that are on their phone, that is, not requiring the user to enter their Google password anywhere in my application. For example, if a user (Android) phone was configured using " someguy@gmail.com ", and then they install and launch my application, my application will present them with a dialog saying "Do you want to log in as someguy @ gmail.com?", and by clicking OK, they set up an identifier on my server that knows that its email address is someguy@gmail.com , which is certified by Google itself.

I found widespread and varied partial recipes on how to do this, including my own oauth2 documentation, but I didnโ€™t guess how this all worked.

I have an Android code that uses AccountManager to find out which Google accounts are on this phone. I invite the user to specify which google account they would like to use to log in, and then I get an authorization token.

In the past, I rotate my wheels pretty hard. The recipes I looked at seem to require me to http get this form:

http://<myWebServer>.com/_ah/login?continue=<someUrlIChoose>&auth=<authToken>

... which (a) is unsatisfied in the sense that it is specific to appengine, and I want freedom to do this at either end of my choice and (b) even experiment with appengine, the application instance I "I'm configured, it seems it is not signaled at all, that is, the logs now show requests to it (I was hoping that someUrlIChoose url would be called by something) ... therefore, there is no way to be aware of the reality of the token.

Specific issues include:

  • What should I do with the auth token ... I send it to my server and somehow my server contacts Google to check the expiration of the token for the specified account? Or is there some kind of backchannel of the message that should already be (at this stage of the process) that has arisen from google servers to tell my server that this token is valid (and if so, how to set it)? Or something else?
  • Am I entitled to assume that this process should run in the context of either end (and not just appengine)?
  • Is oauth2 what I should use (unlike oauth1 or something else)? Everything I read seems to imply that Google support for oauth2 is "experimental" ... but I have not stated that the statements are current or old; and even if current, google has a history of keeping various products in a constant non-confidential form (like eternal beta), so I donโ€™t know what to do with it.
  • Anything else that is relevant ...
+7
source share
2 answers

You must import google-play-services_lib after using this code:

 import com.google.android.gms.auth.GoogleAuthUtil; import com.google.android.gms.auth.UserRecoverableAuthException; private void gmail_login() { dialog = ProgressDialog.show(LoginActivity.this, "", getString(R.string.login_loading), true); AsyncTask task = new AsyncTask() { @Override protected Object doInBackground(Object... params) { getAndUseAuthTokenBlocking(); return null; } }; task.execute((Void)null); } void getAndUseAuthTokenBlocking() { try { String AUTH_TOKEN_TYPE = "oauth2:https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email"; AccountManager accountManager = AccountManager.get(this); Account[] accounts = accountManager.getAccountsByType("com.google"); String token = GoogleAuthUtil.getToken(this, accounts[0].name, AUTH_TOKEN_TYPE); //token here } catch (UserRecoverableAuthException userAuthEx) { startActivityForResult(userAuthEx.getIntent(), MY_ACTIVITYS_AUTH_REQUEST_CODE); }catch (Exception e){ DropErrorMsg.drop(this, handler, R.string.connection_error, R.string.error, dialog, false); } }
+2
source

Is this what you are looking for?

Most Android apps have some kind of server end to store and share data. Even the most basic game should be remembered by its players high scores. When you build the back end, one problem you have to solve is how the internal interface code knows that the application is talking to whom and who is using it.

You probably have HTTP endpoints to communicate with your application client, but how can there be server-side code that sends messages to it? In the end, anyone can send HTTP POST requests from anywhere; can they personify your users if they can guess about their identities?

Its a really unfriendly user to ask people to enter usernames and passwords on mobile devices. In particular, if someone installed your application and granted them permission to use the Internet and identity, they should no longer be jammed.

It turned out that Google Play services, available on all compatible devices running Android version 2.2 or higher, offer a good solution to this problem through the use of Google accounts.

http://android-developers.blogspot.se/2013/01/verifying-back-end-calls-from-android.html

0
source

More articles:


All Articles