SSO with Google account on both website and mobile app

Question

I'd like to use SSO (Single Sign-On) for users of my app, but I don't understand how to apply it to my case.

To summarize, we have:

• a database
• a website
• an iPhone app / an Android App

Currently, it's possible to create an account on the site, and then use the same credentials to connect from the mobile apps. All communications between mobile apps and server work through http requests.

To put it simply, I would firstly

• be able to use Google accounts to authenticate users
• offering Android users to choose one of Google accounts associated with their smartphone

I found several sources of information:

• Google - Using OAuth 2.0 for Login
• Android - Remembering Users

Unlike what I saw in some examples, I don't need to make request to Google services like Google Calendar or Tasks, I just want to authenticate the user.

Does someone could tell me what I need to do on the website and on the mobile app. Should I store information in my database? How to ensure that after authentication, all http requests from the mobile application are really from authenticated user?

Do not hesitate to ask me to clarify some points.

Thanks in advance

Answer 1

As OAuth is a standard for authorization and not for authentication, it doesn't support any direct method for this. However, most providers allow you to call an endpoint that returns the id of the logged in user. Google returns the id as part of the basic profile information. This step is described in the first article you already mentioned. There are multiple libraries available to simplify this step for you.

So for identifying a user you acquire his Google user id and store/match it in your database.

To get the user's id on an Android device, there's an even more simple way. Just use Google Play Services as described in its documentation. You can find the user id in the response to the call in the last section of the documentation.

Now there's still the problem that you have to send the user id from the device to your web server and verify that this call was issued by your app. Fortunately, Google has also built a method into Google Play Services for exactly this scenario. There's a blog post by Tim Bray at the Android Developers Blog about this.