Search code examples
androidsecuritysingle-sign-ongoogle-sso

authorize user to use REST API through google services

I have three actors:

  1. (my) RESTful API behind SSL.
  2. (my) Android app that has Google "Sign in" button.
  3. (my) Web App that allows user register using their Google Account via OAuth.

What I would like to be able to do is this:

  1. Generate something when user logs in on the mobile device.
  2. Compare that to something else I can generate on the server for that Google Account.
  3. If the two pieces match match, give app a newly generated token that it can use in all subsequent API calls for a period of time.

How do I go around doing that? I am reading through OAuth documentation but I am struggling to understand what are these "something" and "something else". Any help will be appreciated.

Solution

  • I have solved this, but I am not sure if this is the best way to do it.

    For Google, I send user uid and authorization token that I have obtained in the app by GoogleAuthUtil.getToken(). On the server, I go to https://www.googleapis.com/oauth2/v1/tokeninfo?fields=user_id&access_token={token}, where {token} is the token I received from my mobile app. If the user_id in OAuth2 response matches the uid that was supplied by API and the uid matches for some user record in my database, that user is considered authenticated.

    For Facebook, I do the same thing, except I use session.getAccessToken(...) to obtain the token on the app side and https://graph.facebook.com/me?fields=id&access_token={token} to verify it with Facebook.