Reputation: 1534
validating Android's authToken on third party server
I'm writing an Android application, which uses AccountManager to get the token. From an android app I'm able to interact with Google Picasa - it works fine.
What I would like to achieve is the following: send some text + authToken to my third party server, then check if the token is correct before saving the text. Now the question is: is it possible to determine if the authToken of a particular token is correct solely on the token itself (and maybe email address).
I've already programmed the server part, which accepts the token (send from android application), then issues a request to an URL address:
https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%
What I get back is the following JSON:
{
"error" : "invalid_token"
}
But the link here http://oauthssodemo.appspot.com/step/4 states that if a token is correct I should receive a different JSON response. Can you tell me what I'm doing wrong: I believe that the way to check token's validity really isn't that simple, but I should rather implement the whole openid or something. Even if that is the case, how can I check whether the token send by android app is correct, so I can save the 'text' part of the message.
Thank you.
Upvotes: 8
Views: 6029
Answers (5)
Reputation: 31
I came across passport-google-token passport strategy which perfectly performs the task.
https://www.npmjs.com/package/passport-google-token
More details are present in the above link.
Upvotes: 1
Reputation: 3613
Based on information in this answer: What is the proper way to validate google granted OAuth tokens in a node.js server? ,
you might try using id_token instead of access_token in the url to call Google's tokeninfo endpoint.
Upvotes: 0
Reputation: 1663
Stop using AccountManager and start using Google Play service’s GoogleAuthUtil class, then it gets easy. See http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html
Upvotes: 7
Reputation: 664
read this https://developers.google.com/accounts/docs/OAuth2WebServer
After the web server receives the authorization code, it may exchange the authorization code for an access token and a refresh token. This request is an HTTPs post, and includes the following parameters:
Upvotes: 1
Reputation: 1534
The solution is as follows. You can verify the token via this url:
https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%
But in my case I was trying to validate "Authorization code" and not "Access token" as you can see here: https://code.google.com/oauthplayground/
If you're using Android and OAuth don't use
lh2
but rather use the following as service name:
http://picasaweb.google.com/data/
So you should call getAuthToken as follows
getAuthToken(account, "http://picasaweb.google.com/data/" , true, null, null);
Then you can validate the token received from this call on the URI posted above.
Upvotes: 2
Related Questions
- Android auth_token validation and usage server-side
- Proper way to authenticate with a backend server
- Android: Verify device google account name on server
- Verify User from Android on Server-Side
- Google Access token server side validation for android app
- Picasa API with oAuth 2.0
- Getting user info in an Android Google Authentication with Server Side Verification setup
- Android: Google authentication
- Send username and password to google oauth authentication
- Google authentication without user