CODEWITHSUNDEEP
phpandroidgoogle-oauthgoogle-play-servicesgoogle-api-php-client
Sunny
Sunny

Reputation: 1464

How can I Verify Android Generated Tokens on my Server Using PHP?

Ok, I have been trying to get the wonderful nirvana described by Tim Bray's article Verifying Back-End Calls from Android Apps. I can successfully get a token from my android app by calling GoogleAuthUtil.getToken(). I pass the token to my php server as header Authorization Bearer field. This is where I get stuck.

What should I do now to verify that the token was generated from my android app for the same project as my server project? How do I get the user_id from the token? Thanks.

On Google console both my php server and android app are on the same project. On my php server, I can link in both android/google-api-php-client/src/Google_Client.php and android/google-api-php-client/src/contrib/Google_PlusService.php library codes.

Upvotes: 3

Views: 6327

Answers (2)

Chris Cartland
Chris Cartland

Reputation: 3278

We have sample code and instructions on GitHub for verifying tokens from your server. Here is the example in PHP.

https://github.com/googleplus/gplus-verifytoken-php

This is the library call:

$client->verifyIdToken($id_token, CLIENT_ID)

One advantage of using the client library is that it can verify the ID token offline if Google's security certificates have been cached. This means the library call gets much faster after the first use because the library doesn't have to make another network call to Google. Using the oauth2/v1/tokeninfo endpoint always requires a network call, so it will be slower most of the time.

Upvotes: 5

Sunny
Sunny

Reputation: 1464

Ok, I finally stumbled into a solution to my issues. As I suspected, the answer was rather simple. I was already doing many things correctly. Both my web endpoint and my android app were in the same Google API Console project. They shared the project entries such as Audience, etc.

All examples I found for doing verification either assumed the reader already knew how to do this or assumed that the PHP needed to generate the token. Finally, I stumbled into this section of Google OAuth2 documentation on Validating a Token that gave me the idea for how to do verification cleanly on my php server. Just verification and nothing else, mam! OAuth is confusing enough. There are other examples for verifying using curl from the command line. But, this is how you would call tokeninfo in PHP to verify that (1) a token is valid and (2) it was meant for your app.

$mToken = $_POST['mToken'];
$userinfo = 'https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=' . $mToken;
$json = file_get_contents($userinfo);
$userInfoArray = json_decode($json,true);
$googleEmail = $userInfoArray['email'];
$tokenUserId = $userInfoArray['user_id'];
$tokenAudience = $userInfoArray['audience'];
$tokenIssuer = $userInfoArray['issuer'];    

if ( strcasecmp( $tokenAudience, GOOGLE_FULL_CLIENT_ID ) != 0) {
        error_log ( "ERROR:'" . $tokenAudience . "' did not match." );
}

The variable GOOGLE_FULL_CLIENT_ID holds the value for Audience string for my app (you can copy this from Google API console definition page for your app).

In my solution, I decided to pass the token generated from my Android app into my server endpoint using _POST value pair "mToken". The code for doing this in Android is as follows:

HttpPost httppost = new HttpPost("uri for your server web endpoint");
ArrayList<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>();
nameValuePairs.add(new BasicNameValuePair("mToken", mToken));
try {
        HttpClient httpclient = new DefaultHttpClient();
        httppost.setEntity(new UrlEncodedFormEntity(nameValuePairs));
        HttpResponse response = httpclient.execute(httppost);
} catch (Exception e) {
        Log.e("HTTP", "Error in http connection " + e.toString());
}

Upvotes: 4

Related Questions