0

I have a similar question as found in this post, but for Xamarin.

Cross-client Google OAuth: Get auth code on iOS and access token on server

I'm using Xamarin.Auth to successfully get a token back from Google for the user of my app. I'd like to send that token to the web service, so it can do background queries of Google APIs impersonating that logged in user. (i.e. querying their liked videos). The web service would have to configured with the Xamarin client ID to use the token, but it seems cleaner to use separate client IDs for front-end/back-end.

Xamarin app is using the Google API client ID, which is setup for Android (and has no client secret). I'm using a 'local' package name redirect URI in the app itself, so it never hits a server component to obtain the token. Also, I've created a web application Google API client which has both client id and secrets.

Unless I use the Xamarin/Android client ID for the web service as well, If I'm reading the cross-client docs correctly, I need to somehow transfer the token between these clients (on front-end and back-end). I've tried using the web app client ID/secret to obtain a refresh token, for the Xamarin access token, but get an invalid client error. Which makes sense, I guess, since the token was created with a different client.

I'm supporting multiple OAuth logins (i.e. Google, Facebook, Instagram), and was planning to create a shadow user in my database, which would hold the active token. I'm letting the auth code->token workflow all happen on the client (using Xamarin.Auth.OAuth2Authenticator).

To make this work, do I need implement the authorization code->token transfer on the backend web service during my app login (using web service client ID), or is there some other way to transfer tokens between app/web service clients?

Or does it seem fine to just use the Xamarin client ID on the back-end, and be done with it?

Thanks!

Kirk Marple
  • 333
  • 1
  • 9
  • 1
    You should be using "Authorization Code Flow" and not "Implicit Grant Flow" on the client. So your app will start the auth process to *your* server, your server then asks the app to request a set of grants from the auth server (i.e. Google in this case), the user accepts/declines this request and upon a successful grant from the auth server to the client, the client redirects to your server with the auth code, your server then supplies that code to the auth server (i.e. Google) and it replies to your server with the token. Now your server can act the "middleman" to Google on the user's behalf. – SushiHangover Aug 01 '18 at 02:35
  • Gotcha, thanks. So if I'm understanding correctly, then I do need to have that code->token handler on the server to make this work? And I can't purely do the authentication client-side in this situation. For Facebook, it appears I can log the user in client-side, and then only have to use fb_exchange_token on the server to convert the access token to a long-term server token. So I'll have to handle Google differently. – Kirk Marple Aug 02 '18 at 03:13
  • 1
    Here is Google's doc on Auth code flow: https://developers.google.com/actions/identity/oauth2-code-flow And of course they have native client APIs that provide the native user experience, etc... – SushiHangover Aug 02 '18 at 03:22

0 Answers0