Android auth_token validation and usage server-side

Question

How can I validate the auth_token returned from

token = bundle.getString(AccountManager.KEY_AUTHTOKEN);

?

After I get the new user on Android I need to insert them into my database server side, but I need to validate that token somehow before I do.

I am trying to use the token like this:

url = 'https://www.googleapis.com/oauth2/v1/userinfo?access_token=%s' % access_token

but Google is returning 'Unauthorized Access'.

How can I access

https://www.googleapis.com/oauth2/v1/userinfo

using the Android AccountManager provided 'auth_token' ?

Answer 1

The token returned from AccountManager is a ClientLogin token, not an OAuth token. So you can not use the API related to OAuth. But you can still fetch calendar data, contact data, or other data supported by ClientLogin.

For example, if you get "cp" for contacts, on the server, you can use

curl -H 'Authorization: GoogleLogin auth="Your_ClientLogin_token"' https://www.google.com//m8/feeds/contacts/default/full

Using Zend Gdata, you can do it by

$client = new Zend_Gdata_HttpClient;
$client->setClientLoginToken($token); // $token is your ClientLogin token
$gdata = new Zend_Gdata($client);

// perform query and get result feed
$query = new Zend_Gdata_Query('http://www.google.com/m8/feeds/contacts/default/full');
$feed = $gdata->getFeed($query);

However, using ClientLogin token on the server-side is not recommended, as mentioned here:

• https://developers.google.com/gdata/faq?csw=1#which_auth_mech
• https://developers.google.com/gdata/faq?csw=1#AuthClientLoginWebapps

Answer 2

You're probably just missing the oauth2: prefix in front of your authTokenType.

This code works:

// Note the `oauth2:` prefix
private static final String AUTH_TOKEN_TYPE_USERINFO_PROFILE =
    "oauth2:https://www.googleapis.com/auth/userinfo.profile";

// TODO: allow the use to choose which account to use
Account acct = accountManager.getAccountsByType("com.google")[0];

accountManager.getAuthToken(acct, AUTH_TOKEN_TYPE_USERINFO_PROFILE,
    null, this, new AccountManagerCallback<Bundle>() {
      @Override
      public void run(AccountManagerFuture<Bundle> future) {
        try {
          String accessToken = future.getResult().getString(
              AccountManager.KEY_AUTHTOKEN);
          Log.i(TAG, "Got OAuth2 access token: " + accessToken);
          /*
             Your code here. Use one of two options. In each case replace ... with
             the above OAuth2 access token:

             1) GET https://www.googleapis.com/oauth2/v1/userinfo?access_token=...

             2) GET https://www.googleapis.com/oauth2/v1/userinfo with this header:
                Authorization: Bearer ...
          */
        } catch (OperationCanceledException e) {
          // TODO handle this case
          Log.w(TAG, "The user has did not allow access");
        } catch (Exception e) {
          // TODO handle this exception
          Log.w(TAG, "Unexpected exception", e);
        }
      }
    }, null);

}

Answer 3

I finally got things working using this method:

https://sites.google.com/site/oauthgoog/oauth-practices/mobile-apps-for-complex-login-systems/samplecode

Answer 4

You should be able to use it to get the user info using the Google API. Normally an OAuth 2.0 bearer token is inserted into an Authorization HTTP header when calling a RESTful API.

See the sample provided here: http://code.google.com/p/google-api-java-client/wiki/AndroidAccountManager