How can my server authenticate Android users with their Google accounts?

Question

I'm building an Android app as part of a client/server architecture, where my server will provide a service to the Android client. The server will not communicate with any Google server, but will need to authenticate the user via their gmail account. That is, the server needs to be sure that the http(s) requests coming from the phone are indeed from the person with that specific gmail account.

I was looking into Android's C2DM framework, which I can certainly use for passing service-related data back and forth, but how can I use Google account authentication between an Android phone and a third-party (non-Google) server?

Will Oath2.0 work for this, or is Oath2.0 only used for direct authentication between the phone and Google's services?

Answer 1

I think you must have got the answer to your query by now. But I still would to answer this question to assist other users who are interested in achieving something like this.

So to use google account access token to authenticate and authorize your app user against your own services you have to follow following steps.

1. Create a project in Google Cloud Console with two components (Create components by clicking on "APIs $ Auth >Credetials" option on left pane ). First component will be your web component (e.g. web-services) and second component is your android application.
2. Try to get access token by querying account manager in android app by executing GoogleAuthUtil.getToken() method by passing the current context, email id(queried using account manager) and scope as ("audience:server:client_id:").
3. Where is the "Client ID" parameter of the web component available under the project created on Google Cloud Console.
4. The method will return you the ID token encoded as JSON web token or JWT.
5. This ID token everything that a app would require to authenticate user on server.
6. The ID token consists of following parameters

iss: always accounts.google.com

aud: the client ID of the web component of the project

azp: the client ID of the Android app component of project

email: the email which identifies the user requesting the token, along with some other fields.

1. Pass this token to your web component (e.g. web services) over https(mandatory) where the web component and Android component client id's are already stored.

2. After decoding the received JWT ID token on server, check if "aud" parameter of the token and stored web component client id are equal and hence authenticate the user.

3. User identity can be fetched by reading the email parameter of JWT ID token which specifies the email id provided to access the Id token in android application while executing GoogleAuthUtil.getToken() method.

Note : The ID token on android can only be fetched by executing GoogleAuthUtil.getToken() if it is the same application singed by same certificate specified while creating android component under the project on Google Cloud Console.

More information can be found on "https://developers.google.com/accounts/docs/CrossClientAuth"

Answer 2

You didn't mention which language code you're going to use in your server.

The easier way to use C2DM is inside Google App Engine which comes with native support for Android integrations with C2DM.

If that's not the case ( EX: youre using php in your own server ) I would take a look to AccountManager which can provides you the auth token ( the app-user must allow it ).

When registering a new device to your C2DM server you'll need the device to communicate also the token so you'll be able to know if the user is really owner of that gmail account through a connection between your server and Google Servers.

:)