Login/Register
validating Android's authToken on third party server
Asked Answered
Solved androidgoogle-apipicasaaccountmanager
P

5

8

I'm writing an Android application, which uses AccountManager to get the token. From an android app I'm able to interact with Google Picasa - it works fine.

What I would like to achieve is the following: send some text + authToken to my third party server, then check if the token is correct before saving the text. Now the question is: is it possible to determine if the authToken of a particular token is correct solely on the token itself (and maybe email address).

I've already programmed the server part, which accepts the token (send from android application), then issues a request to an URL address:

https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%

What I get back is the following JSON:

{
  "error" : "invalid_token"
}

But the link here http://oauthssodemo.appspot.com/step/4 states that if a token is correct I should receive a different JSON response. Can you tell me what I'm doing wrong: I believe that the way to check token's validity really isn't that simple, but I should rather implement the whole openid or something. Even if that is the case, how can I check whether the token send by android app is correct, so I can save the 'text' part of the message.

Thank you.

Peripteral answered 23/3, 2012 at 18:34 Comment(2)
Any advances on this? I am very interested too.Vacuva
+1 only for the precise wording of the question. It's 2015 and still hard to find proper/easy-to-find documentation for this. Frustrating.Paddlefish
P
2

The solution is as follows. You can verify the token via this url:

https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%

But in my case I was trying to validate "Authorization code" and not "Access token" as you can see here: https://code.google.com/oauthplayground/

If you're using Android and OAuth don't use 

lh2

but rather use the following as service name:

http://picasaweb.google.com/data/

So you should call getAuthToken as follows 

getAuthToken(account, "http://picasaweb.google.com/data/" , true, null, null);

Then you can validate the token received from this call on the URI posted above.

Peripteral answered 5/4, 2012 at 10:35 Comment(0)
L
7

Stop using AccountManager and start using Google Play service’s GoogleAuthUtil class, then it gets easy. See http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html

Latrena answered 25/1, 2013 at 1:9 Comment(6)
I've been looking on and off for a couple weeks now on how to ensure requests to my server (which serves content for my Android app) are coming from my Android app, and it looks like this is a perfect solution. Thank you for posting this!!Cragsman
Hey Tim, I'm working that example you linked to which is very straightforward. I only have one question; it says to use GoogleAuthUtil.getToken() to get an ID token, but what value do I pass for the accountName? I know I can retrieve the authenticated Google accounts for the device, but if there's more than one how do I know which to use? Sorry if the answer is obvious, but I can't figure this one part out.Cragsman
Probably too late on this, but use the AccountPicker class to let the user choose an account, and that will give you the accountNameLatrena
Actually no, I haven't had time to work on this problem until now. Thanks for answering. :) I was hoping there was a way to avoid bugging the user (even though it's just once, after they've first installed). Oh well. One last question; if there's only a single Google account returned, is there any need to show the AccountPicker? I can't see why there would be... just want to make sure. Thanks again, Tim.Cragsman
Hey Tim, I have the id token from GoogleAuthUtil.getToken() which I pass to my web server through the Header Bearer. I am all new to oauth and Google Pla service. Your article said to verify token is coming from my app. What should I do on my php server endpoint when called from my android app with said Header Bearer token? I am having trouble finding docs for google-api-php-client/src/Google_Client.php or google-api-php-client/src/contrib/Google_PlusService.php explaining verification. What do I do to just verify the token and get the user_id from it?Anubis
@Anubis The Header Bearer is only for OAuth2 Access Tokens (ex: when calling Google APIs). To interpret the Header Bearer you need to have an OAuth2 Service Provider implementation on your backend. The article that Tim mentions deals with ID Tokens used for authenticating the users. A totally different thing (and much simpler than OAuth2 authorization on the backend).Trueman
P
2

The solution is as follows. You can verify the token via this url:

https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%

But in my case I was trying to validate "Authorization code" and not "Access token" as you can see here: https://code.google.com/oauthplayground/

If you're using Android and OAuth don't use 

lh2

but rather use the following as service name:

http://picasaweb.google.com/data/

So you should call getAuthToken as follows 

getAuthToken(account, "http://picasaweb.google.com/data/" , true, null, null);

Then you can validate the token received from this call on the URI posted above.

Peripteral answered 5/4, 2012 at 10:35 Comment(0)
E
1

read this https://developers.google.com/accounts/docs/OAuth2WebServer

After the web server receives the authorization code, it may exchange the authorization code for an access token and a refresh token. This request is an HTTPs post, and includes the following parameters:

Eupheemia answered 19/7, 2012 at 10:23 Comment(1)
Hi, that's just the fields I get in a response, which was always working and wasn't part of the question. The question was how to validate the token once I've already got it. And the problem has been resolved as you can see by the green OK.Peripteral
C
1

I came across passport-google-token passport strategy which perfectly performs the task.

https://www.npmjs.com/package/passport-google-token

More details are present in the above link.

Cinchonine answered 27/3, 2015 at 7:33 Comment(1)
Links tend to break over time. Please provide a short summary of what is in the link. See stackoverflow.com/help/referencing .Tynan
R
0

Based on information in this answer: What is the proper way to validate google granted OAuth tokens in a node.js server? ,

you might try using id_token instead of access_token in the url to call Google's tokeninfo endpoint.

Rubious answered 1/5, 2013 at 23:15 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.