Effective OAuth for Google APIs from Android phone

Question

I am trying to get Authorization for Google Buzz,Contacts from an Android application. The flow is similar to this.

• The user chooses if he wants to use Buzz.
• Using OAuth/Client Auth, we need to get a one-time authorization code.
• This code would be used by a web service to periodically read Buzz feeds.

Now, the problem is how do I obtain the authorization code (Not temporary token) from the Android App and send it to the webservice. I could use the normal OAuth2.0 and use my webservice as the redirect URL to obtain the code. But in that case how can I let the webservice know that the code pertains to which user? Can I pass extra information with the OAuth dance?

Answer 1

I strongly recommend using OAuth 2. The flow is much better for the end user and it's a lot easier to implement something like this. Additionally, it uses bearer tokens, which means that you can maintain your refresh token server side where it's actually secure and only ship access tokens to the Android when they're needed.

The downside of this approach is that effectively every time your app loads it needs to phone home to get the latest access token. But once it has that access token, it can make whatever API calls it needs to, directly to the Buzz and Contacts APIs.

However, to do this, you don't pass extra information with the OAuth dance. Instead, your Android app needs to have already securely identified which user is signed in with your app, and then make sure the server only ever sends back access tokens associated with the authenticated user. If it doesn't have an up-to-date access token for that user, it would need to make a request out to Google's authorization server to get the latest access token, and then pass it up to the client. So there's certainly a strong potential for some latency there, because that generally needs to be a synchronous call, but that's usually a small price to pay for the advantages OAuth 2 gives you over OAuth 1.