Best IT Recipes

OAuth2 Authentication for Website * and * Application

I am developing a website that is accessed primarily through the application, and I want to use OAuth2 to register and authenticate the user. Since this is an Android app, I will start using the Google OAuth2 stuff as it provides a decent interface for Android.

Google states that “You can use Google’s authentication system as a way to outsource user authentication for your application. This can eliminate the need to create, maintain, and protect your username and password.” that I want to do. However, when I look at all of their examples and much more, I can only find material that the website or application authenticates the user with respect to Google services.

Indeed, when I go to register my application (“client”) with Google OAuth2, there are options for website clients and “installed” clients (ie for a mobile application), but not for both. I can create two separate clients, but I read the OAuth2 project, and I think there will be a problem that I will talk about now.

Here is how I did it:

OAuth2 flow diagram

  • A user requests MyApp to access their personal data.
  • The application uses the Android AccountManager class to request an access token for the Google APIs.
  • Android tells the user: “MyApp wants to access your basic information on Google. Is this normal?”
  • The user says yes.
  • AccountManager connects to the Google OAuth2 server using the credentials stored on the phone and requests an access token.
  • The access token (which follows the green lines) is returned.
  • AccountManager returns an access token in MyApp.
  • MyApp sends a request to MySite for the user's personal data, including the access token.
  • MySite needs to verify the user using an access token. It checks the token as described here , with Google - "Google, is this token valid?"
  • Now I want Google to say: “Yes, the one who gave it to you is really that user.”, But what I think will really happen (based on the OAuth2 project and Google documentation) is that it will let's say, “No, this token is valid only for MyApp, and you are MySite. GTFO!”.

So how do I do this? AND PLEASE don’t say “Use OpenID” or “Do not use OAuth2” or other similar useless answers. Oh, and I really would like to use the nice AccountManager user interface, not crappy popup WebView s

Edit

The preliminary answer (I will report if this works!) From Nikolai is that it really should work, and Google’s servers will not care where the access token came from. It seems a little unsafe for me, but I will see if it works!

Update

I implemented this template with Facebook instead of Google, and it works completely. The OAuth2 server does not care where the access token came from. At least Facebook doesn't do this, so I guess Google doesn't work either.

In light of this, it is a very bad idea to store access tokens! But we also do not want to click on the Facebook / Google servers to check the authentication for each request, as this will slow everything down. It is probably best to add an additional authentication cookie for your site that you give out when their access token is verified, but an easier way is to simply process the access token as a password and save it. You do not need to salt it, as access tokens are really very long. So the steps above look something like this:

9. MySite must verify the user using an access token. First, it checks its cache with hashed valid access tokens. If the token hash is found there, it knows that the user is authenticated. Otherwise, it checks with Google as described here , with Google - "Google, is this token valid?"

10. If Google says that the access token is incorrect, we indicate to the user GTFO. Otherwise, Google says “Yes, this is a valid user,” and then we check our registered user database. If this Google username (or Facebook identifier, if used by Facebook) is not found, we can create a new user. Then we cache the hashed value of the access token.

+58
android oauth google-authentication
Jul 24 2018-12-12T00:
source share
6 answers

You probably need OpenID Connect, which uses OAuth tokens for authentication. Regarding AccountManager , current OAuth support is a bit hacked, the new Google Play Services , which will be released soon, should hopefully make it better. See here demo .

+1
Jul 25 2018-12-12T00:
source share

I just posted the answer to a similar StackOverflow question.

Google calls this Hybrid app and explains how "an Android app gets offline back-end access . "

Its essence is that you need to pass a massive scope string to GoogleAuthUtil.getToken to force it to return an authorization code (and not an OAuth2 token). This authorization code can be transferred from your mobile application to your server and exchanged for a Token token and an OAuth2 update token, according to this scheme .

The scope parameter should look something like this:

 oauth2:server:client_id:<your_server_client_it>:api_scope:<scope_url_1> <scope_url_2> ...
+5
Jul 12 '13 at 2:22
source share

You can use the access token received by the mobile application elsewhere. Drive SDK has a nice and easy introduction that goes through the stream https://developers.google.com/drive/quickstart-android

+2
Apr 30 '13 at 17:54
source share

At least with Google, the access token eventually expires. That's why the Android AccountManager has an invalidateAuthToken method - the cached access token has expired, and you need to tell the AccountManager to leave you the old one and get a new one instead. This makes caching of the token somewhat safer, as the token itself does not give you perpetual access as that user. Instead, when it is valid, it simply says: "At some point in the recent past, this token was acquired by a trusted source."

Here are a few things I found useful when working with tokens. The first is the Google tokeninfo endpoint. The token itself is just base64 encoded JSON. This means that it is not encrypted, so you must be sure that you use HTTPS for communication. However, this also means that you can check the token and better understand what is happening.

https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=

If your token was "abcdef", you should go to:

https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=abcdef

and Google will unpack your token. This is a simple JSON object that includes the "expires_in" field, which indicates the number of seconds for which the token is still valid. At 6:03 in the video below, you can see the unpacked token:

https://developers.google.com/events/io/sessions/383266187

This video provides a detailed overview of OAuth2 and is worth a full look if you are going to deal with OAuth and tokens. The speaker also discusses other forms of Oauth2 tokens that are not access tokens that do not expire.

Another useful resource is the OAuth Playground. This allows you to do basic things, such as request areas, compose requests, and return tokens. This link seems to work sporadically, and in Chrome I had to install the Oauth Playground app:

https://developers.google.com/oauthplayground/

And here’s a tutorial by Tim Bray, the speaker on the video explaining how to use access tokens to communicate with the server from the Android application. This was useful to me because I began to understand how different things in the Google APIs console work together:

http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html

Regarding the actual answer to your question, I would say that you never need to cache the access token on the server. As explained in the “Checking Android Callbacks” section above, token checking is almost always a quick static call, which means there is no reason to cache tokens:

Libraries can cache Google certificates and renew them only when necessary, so verification (almost always) is a quick static call.

Finally, you can use the AccountManager to get access tokens. However, instead, Google recommends using the GoogleAuthUtil class in the Utilities library instead:

In short, what is the difference from using an OAuth2 request getAuthToken and getToken

Here's a comment by Tim Bray, the same guy who reappeared from the above links, stating that they are making efforts on the GoogleAuthUtil route. Please note, however, that this means that you will be limited to Google authentication. I believe that AccountManager can be used to get, for example, a Facebook token, and not in the case of GoogleAuthUtil .

+1
Sep 08 '13 at 16:27
source share

it describes exactly what you want: https://developers.google.com/identity/protocols/CrossClientAuth

+1
Apr 20 '15 at 12:07
source share

When we needed to do something on the OAuth server without Google, we saved the tokens in the database on the website. The application will then use web services to request a token when necessary to request data.

A user can register for OAuth either online or in the application. They shared the same application token so that they could use the same access token. After registration, we will store access and update tokens in the database for use with the application they need.

0
Jul 25 '12 at 1:00
source share


More articles:


All Articles