3

I want users to be able to enter data from a web server and/or native PC app and transfer it to their chosen Android device in much the same way that Google Play's install on device works.

I'd like to use the user's Google account authentication to establish a link between the application server and the user's Android device that registered with GCM.

I couldn't find any mention of how to handle this kind of authentication in the Google Cloud messaging API documentation, but did find this unanswered question in the GCM forums.

I'd like to authenticate users from a web application via the his or her Google account. Similarly, the Android application would somehow obtain a handle on the same Google Account, which would be sent to the web application server once at same time as initial GCM registration.

Then when the user uses the web application, the server provides a list of devices the user has already registered to the server, so that the user can be prompted about which Android device he or she would like to send data to.

How can I accomplish this on the web server as well as on the device?

What information can I use after authenticating with the Google account to establish a link between the two logins?

j0k
  • 22,600
  • 28
  • 79
  • 90
Jeff Axelrod
  • 27,676
  • 31
  • 147
  • 246

2 Answers2

4

You should use the user_id that is returned from the Google account server after registration to uniquely identify each user. Email addresses shouldn't be used for a number of reasons:

  • Accessing email addresses may require additional permissions from the user and dissuade users from using your service/app because of trust issues.
  • Adds liability for securing database of users' email addresses
  • Users may change their email addresses in Google accounts but cannot change their user IDs.
  • Users can associate one email address with more than one user ID, so it is not necessarily unique.

The following sequence diagram shows the initial registration from client Android app:

initial registration from client Android app

The next diagram shows what happens when a client wants to access his device from a browser:

client wants to access his device from a browser

Note that although not shown, the client Android app can now communicate back to the client browser if needed via the application server.

Jeff Axelrod
  • 27,676
  • 31
  • 147
  • 246
1

The user_id you get from the device when you register with GCM should be the same as the user_id you get with your OAuth token for your app. Just store the OAuth token and Registration ID in your user repository, associating both with the user_id.

enter image description here

Jeff Axelrod
  • 27,676
  • 31
  • 147
  • 246
Paul Fryer
  • 9,268
  • 14
  • 61
  • 93
  • I'm not sure how you think OAuth works here. However, there is no OAuth used with GCM, as far as I know. GCM is just used to push notifications (small ones) to a device/application. So the payload of your message should include a URL or other data to download the actual stuff you want to synch to your mobile device. – Paul Fryer Sep 12 '12 at 17:19
  • ok, i see where you are going with this. It looks like you can get access to the Google account on the device, check this out: http://stackoverflow.com/questions/2112965/how-to-get-the-android-devices-primary-e-mail-address – Paul Fryer Sep 12 '12 at 17:48
  • I think you need 3 things here. 1) the oauth token you got when your user authorized your app with google. 2) The google email address of that user. 3) The GCM registration ID. You store the oauth and email together when your app is authorized. You store the registration id and email together when Push notifications is enabled. Now you can link oauth token to email to registration id (see diagram above). – Paul Fryer Sep 12 '12 at 19:22
  • It looks like using the [`user_id`](https://developers.google.com/accounts/docs/OAuth2Login) field rather than the email address is the way to go here. If you wouldn't mind updating your diagram with this, I'll upvote and accept! – Jeff Axelrod Sep 12 '12 at 21:24
  • Great find Jeff! You are right on, we would rather use an identifier that won't change. So email is a bad candidate, but user_id seems to fit the bill. Diagram updated. – Paul Fryer Sep 12 '12 at 23:25
  • We should try to put together a demo project for this. I think it would help a lot of people. – Jeff Axelrod Sep 12 '12 at 23:42
  • Are you sure the `user_id` from the GCM registration is the same one as the Google accounts one? I would have assumed assume that if there's one along with GCM registration that it's associated with the registered application developer, not the user. Either that, or it's just some randomly generated user ID unique to the device. Do you have documentation to back this up? – Jeff Axelrod Sep 13 '12 at 02:18
  • No, I'm not sure, I was going off your comments :-) I thought you might have researched it. Sounds like we still need to do a bit of research on this before we can propose this as viable solution. I'll add it to my list of things I'm researching... Also, a demo of this would be really cool, I'm sure others would find is useful - do you have specific projects in mind? – Paul Fryer Sep 13 '12 at 03:03
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/16640/discussion-between-jeff-axelrod-and-paul-fryer) – Jeff Axelrod Sep 13 '12 at 12:45