Can I use Chrome Web Store payments with OAuth 2.0

Question

I've written a hosted Chrome Web App which authenticates the user with OAuth 2.0 using the Google APIs Client Library for .NET. Now I want to add payments to our application using the in-built Chrome Web Store Payments.

Looking at the documentation it appears that I need an OpenID URL in order to check for payment.

How can I get this UserID/OpenID URL since I'm using OAuth instead of OpenID authentication?

var service = new Google.Apis.Oauth2.v2.Oauth2Service(
    new BaseClientService.Initializer
    {
        HttpClientInitializer = userCredential,
        ApplicationName = "My App Name",
    }
);
HttpResponseMessage message = await service.HttpClient.GetAsync(
    string.Format("https://www.googleapis.com/chromewebstore/v1/licenses/{0}/{1}", 
        appId,
        fedId // Where do I get this??
    )
);

Answer 1

I wanted to leave my own experience here so that others can see that it's not just a matter of using the existing Id returned from an authorised request to the user profile endpoint, as this is not the ID required by the Chrome Payments API...

Short Answer

It's not possible to use only OAuth2.0 for a hosted app. The only options for a hosted app are:

• Use the deprecated OpenID (see detailed answer)
• Use In-app Payments using Google Wallet for Digital Goods

Long Answer

We still have to use OpenID, however Google has provided a migration path for OpenID users to OAuth2.0 called OpenID Connect. The aim of this migration is to map the old fedId field to new the Google+ User Ids.

This allows us to retrieve an OpenID identifier using an existing OAuth 2.0 process.

Caveat: The Google .NET Client APIs do not support this migration path. So authentication must be done manually or using a 3rd party OAuth library.

Howto:

• As per usual OAuth flow, direct the user to the Authenticate endpoint (https://accounts.google.com/o/oauth2/auth) with the following variables:

  • openid.realm=http://localhost ** Required, where http://localhost matches your redirect_uri variable
  • scope=openid profile https://www.googleapis.com/auth/chromewebstore.readonly ** Both openid and profile scopes are required in order to retrieve the OpenID identifier. The chromewebstore scope is required to query the payments API.

• Then exchange the code for an access token from the Token endpoint (https://accounts.google.com/o/oauth2/token)

  • At this point you will receive the standard access_token, refresh_token, etc variables but also an additional id_token variable.
  • This id_token is a JWT-encoded string containing the OpenID information.
  • Decoding this JWT-encoded (you can use this C# JWT Library) string will give you a JSON string in the following format:

  { "aud": "<googleuserid>.apps.googleusercontent.com", "at_hash": "<hashcode>", "iss": "accounts.google.com", "openid_id": "<!! The fedId we require !!>", "exp": <id>, "azp": "<googleuserid>.apps.googleusercontent.com", "iat": <id>, "sub": "<googleuserid>" }

  • At this stage we've finally found what we're looking for, the openid_id. This can be used to communicate with the Chrome Payments API

• While still using the same OAuth credentials, make a signed request to the following URL:

  • https://www.googleapis.com/chromewebstore/v1/licenses/{appId}/{openId}
  • {appId} is the ID of your app within the Chrome Web Store
  • {openId} is the openid_id from the JWT response

Answer 2

This should give you what you need:

https://developers.google.com/accounts/docs/OAuth2

Its a complete overview of OAuth2.0.

Helped me with a problem I was having with a webapp setup, hope it can do the same.

P.S - Im not sure but this may be exactly what your looking for:

https://developers.google.com/accounts/docs/OAuth2InstalledApp