0

I see some similar questions related to this question but those ones are too old to be considered, so I will ask again here.

I have an Android App that needs to authenticate to a web service to exchange data that will be stored on Google App Engine. For that, I would like to use OAuth2.0 to provide an authentication mechanism between my App and the web service as shown here: https://developers.google.com/identity/protocols/OAuth2WebServer?hl=en and here https://developers.google.com/identity/protocols/CrossClientAuth

I'm already doing a validation of the token on the web service side as shown on the documentation. The only part that I don't have clear is what to do on the GAE web service and Android after a refresh token is being obtained on Android and validated on the web service.

The questions are:

  • Must I exchange this token all the time for every communication between the app and the web service? is it secure?
  • What is the best way to keep the communications going forward?
Carlos Jimenez
  • 114
  • 1
  • 14
  • this is covered in the oauth2 help regarding flows. see 3 legged oauth2 – Zig Mandel Sep 18 '15 at 13:17
  • The documentation for 3 legged oauth2 on Google Developers go up to the point that you get the Token, my question remains the same. – Carlos Jimenez Sep 18 '15 at 15:16
  • no, it goes further. for example it states expiration times for the obtained access token. look at the samples and turorials for example the drive api examples – Zig Mandel Sep 18 '15 at 15:22
  • I found this http://stackoverflow.com/questions/11631928/authenticating-with-oauth2-for-an-app-and-a-website which is the same question I'm having now. That thread it's old anyway and I cannot comment there. – Carlos Jimenez Sep 18 '15 at 20:48
  • but its not the same question. that one is about reusing the tokens between a mobile app and a website, so the user doesnt need to give oauth permissions twice. – Zig Mandel Sep 18 '15 at 20:54
  • this seems to cover what you want: https://developers.google.com/identity/protocols/OAuth2UserAgent#validatetoken – Zig Mandel Sep 18 '15 at 20:56
  • that said, it you only need authentication but not permission, look instead into Google Identity Toolkit. – Zig Mandel Sep 18 '15 at 20:57
  • Thanks but I see the same question being asked while using Google Identity Toolkit https://groups.google.com/d/msg/google-identity-toolkit/zhYA7LKmMVY/ae8V_i7K658J – Carlos Jimenez Sep 18 '15 at 21:08
  • which is also covered here: https://developers.google.com/identity/protocols/OpenIDConnect?hl=en#validatinganidtoken – Zig Mandel Sep 18 '15 at 22:26
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/90101/discussion-between-carlos-jimenez-and-zig-mandel). – Carlos Jimenez Sep 19 '15 at 12:45

1 Answers1

1

After researching about this, this authentication flow I'm using:

  1. Sign in on the app as shown here: https://developers.google.com/identity/sign-in/android/sign-in
  2. After Sign in, obtain a token.
  3. Send the token over HTTPS to backend server
  4. Validate the token on backend server with GoogleIdTokenVerifier verifier (you can also call the tokeninfo endpoint) as shown here: https://developers.google.com/identity/sign-in/android/backend-auth

When you receive the Token on your backend server you should:

After you receive the ID token by HTTPS POST, you must verify the integrity of the token. To verify that the token is valid, ensure that the following criteria are satisfied:

  • The ID token is a JWT that is properly signed with an appropriate Google public key (available in JWK or PEM format).
  • The value of aud in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server.
  • The value of iss in the ID token is equal to accounts.google.com or https://accounts.google.com.
  • The expiry time (exp) of the ID token has not passed. If your authentication request specified a hosted domain, the ID token has a hd claim that matches your Google Apps hosted domain.
  1. User authenticated. Token must be sent over on the request header for every communication with the backend server, then the backend server needs to verify it everytime.
Carlos Jimenez
  • 114
  • 1
  • 14