I am not able to differentiate between these two: requestIdToken and requestServerAuthCode, when we signin with google api from android device.
My requirement is to provide option for users to login in android device, and after login sync data to my server.
Server need to validate logged in user request from android device. I am thinking to use "requestIdToken".
On the server side i am using google client library to fetch user info from requestIdToken.
There is
requestIdToken (String serverClientId)
Specifies that an ID token for authenticated users is requested.
Requesting an ID token requires that the server client ID be
specified.
and there is
requestServerAuthCode (String serverClientId)
Specifies that offline access is requested. Requesting offline access
requires that the server client ID be specified.
You don't need to use requestIdToken(String) when you use this option.
When your server exchanges the code for tokens, an ID token will be
returned together (as long as you either use requestEmail() or
requestProfile() along with your configuration).
The first time you retrieve a code, a refresh_token will be granted
automatically. Subsequent requests will only return codes that can be
exchanged for access token.
From the docs.
As you can read here, requestServerAuthCode() is specifically for requesting offline access. If you do not need it, use requestIdToken()
Related
User access the Application Client
The Application Client redirects user to Authorization Server (via user-agent/browser)
The user enter your credentials (username/password)
The Authorization Server confirms credentials and sends the AuthorizationCode (in case of Authorization Code Grant) or Access Token (in case of Implicit Grant) to the Redirect URI (in my case, custom Android Schema pointing to my app).
...
(other steps involving token exchange or access token use steps ommited)
How and when the Application Client gets any info about the user that provided their credentials (like user ID or name)??
I'm using OAuth API Secure Project (https://github.com/OAuth-Apis/apis) for my Authorization Server, and an Resource Server/API generated by Swagger code-gen.
Everything is fine with tokens requests and responses, and the Authorization Server is saving the Access Keys with info about the Authenticated Principals fine. Also have an endpoint for retrieve this info about principal: /tokenInfo, but this endpoint is for Resource Server use (need Resource Server credentials).
So my problem is only about Application Client to get user info....
I can make an endpoint in my api only to get the info about the user/principal, based on access token and /tokenInfo endpoint referred, and return to Application Client, but its strange.... I think there is a standard for that...
Can someone helpme?
If the resource server does not expose any API which returns user information, the client application cannot get user information. If such an API exists, the client application can get user information by accessing the API with an access token.
If the authorization server supports OpenID Connect, there are two standard ways to get user information. One is to request the authorization server to issue an ID token which contains user information. The other is to access UserInfo Endpoint. See OpenID Connect Core 1.0 for details.
According to facebook development site.
https://developers.facebook.com/docs/graph-api/reference/v2.0/app/app_link_hosts
Under Publishing section
I tried with Android SDK but got this error
{"error":{"message":"(#200) Permissions error","type":"OAuthException","code":200}}
I tried with Curl option but got the same error
{"error":{"message":"(#200) Permissions error","type":"OAuthException","code":200}}
Ok so I double check my permission﹕ [public_profile, rsvp_event, publish_actions]
I have the correct permission It is so simple. Unless I miss something.
EDIT
Also check that the access_token is passed in.
If anyone have a solution please share.
I faced the similar problem like you did. It turns out that there are various types of access tokens. https://developers.facebook.com/docs/facebook-login/access-tokens,
User Access Token – The user token is the most commonly used type of token. This kind of access token is needed any time the app calls an API to read, modify or write a specific person's Facebook data on their behalf. User access tokens are generally obtained via a login dialog and require a person to permit your app to obtain one.
App Access Token – This kind of access token is needed to modify and read the app settings. It can also be used to publish Open Graph actions. It is generated using a pre-agreed secret between the app and Facebook and is then used during calls that change app-wide settings. You obtain an app access token via a server-to-server call.
Page Access Token – These access tokens are similar to user access tokens, except that they provide permission to APIs that read, write or modify the data belonging to a Facebook Page. To obtain a page access token you need to start by obtaining a user access token and asking for the manage_pages permission. Once you have the user access token you then get the page access token via the Graph API.
Client Token - The client token is an identifier that you can embed into native mobile binaries or desktop apps to identify your app. The client token isn't meant to be a secret identifier because it's embedded in applications. The client token is used to access app-level APIs, but only a very limited subset. The client token is found in your app's dashboard. Since the client token is used rarely, we won't talk about it in this document. Instead it's covered in any API documentation that uses the client token.
So the access token in this case is referring to App Access Token. You can obtain one using the API Explorer:
Note that you also need to be the admin of the Facebook app to be able to get the an App Access Token, if not the button will be greyed out like what is shown in the screenshot above.
I'm using Google+ authentication in my app to allow a user to sign in, and have access to their 'data' on my server.
The authentication process following the following steps:
User logs in using Google+ on the app, and receives an access token.
The user passes this token to the server.
The server uses this token to verify that the user is who they say they are (following the process shown here). The server can return the data as needed.
This is the part I'm stuck on - How do I verify that the user is who they say they are for future requests without making a request to Google's servers every time? Do I return a session token to the client application that is used, and regenerate the token after some amount of time?
Absolutely. Sending a session cookie is exactly the thing to do.
You will want to use ID tokens to verify that the user is who they say they are. There is a sample project in Java on Github to demonstrate this.
Also, you should be passing a one-time authorization code to your server, not access tokens. See the documentation for getting your server side tokens from an Android app. When you have that code, you send that to your backend and then exchange that one-time code for the server's own copies of access and refresh tokens for that user. Because you receive the tokens directly from Google on your backend they are more secure than having to send between mobile apps and your backend.
My Android app needs to send an authorization code to my server so that the server can use that to acquire an access token for the user's Google Drive account. I have been trying to figure out how to acquire the authorization code and I found this in the Google API documentation (Using OAuth 2.0 for Installed Applications):
This sequence starts by redirecting a browser (system browser or
embedded in the application as a web view) to a Google URL with a set
of query parameters that indicate the type of Google API access the
application requires. Like other scenarios, Google handles the user
authentication and consent, but the result of the sequence is an
authorization code. The authorization code is returned in the title
bar of the browser or as a query string parameter (depends on the
parameters sent in the request).
After receiving the authorization code, the application can exchange
the code for an access token and a refresh token. The application
presents its client_id and client_secret (obtained during application
registration) and the authorization code during this exchange. Upon
receipt of the refresh token, the application should store it for
future use. The access token gives your application access to a Google
API.
Now I am not sure how to get this authorization code in my Android app since the Android examples I have seen seem to get the access tokens directly. I am looking at the Android AccountManager class and it has a method getAuthToken but this seems to refer to the access token and not the authorization code.
So how does one acquire the authorization code that can be shared with a server? If it is possible I would greatly appreciate some example code. If this is not possible what are the possible workarounds?
You may want to take a look at the Cross-client Identity document. It should keep you from needing to pass user tokens back and forth.
I believe you can actually take the access token returned by the Android AccountManager, send this to your server, then have your server make a call against the Google Drive API using that same access token - it is a bearer token and not bound to the channel that created it, so please take good care of it and only send over encrypted connections.
Documentation on how to get that access token can be found here:
https://developers.google.com/drive/quickstart-android
While that access token is good for immediate use, it will expire in less than 1 hour, so if you are looking for a solution that enables your backend server to have continued access to the Drive data, without the user being present at your app at the time of request, an alternate approach will be needed.
I'm building an Android app as part of a client/server architecture, where my server will provide a service to the Android client. The server will not communicate with any Google server, but will need to authenticate the user via their gmail account. That is, the server needs to be sure that the http(s) requests coming from the phone are indeed from the person with that specific gmail account.
I was looking into Android's C2DM framework, which I can certainly use for passing service-related data back and forth, but how can I use Google account authentication between an Android phone and a third-party (non-Google) server?
Will Oath2.0 work for this, or is Oath2.0 only used for direct authentication between the phone and Google's services?
You didn't mention which language code you're going to use in your server.
The easier way to use C2DM is inside Google App Engine which comes with native support for Android integrations with C2DM.
If that's not the case ( EX: youre using php in your own server ) I would take a look to AccountManager which can provides you the auth token ( the app-user must allow it ).
When registering a new device to your C2DM server you'll need the device to communicate also the token so you'll be able to know if the user is really owner of that gmail account through a connection between your server and Google Servers.
:)
I think you must have got the answer to your query by now. But I still would to answer this question to assist other users who are interested in achieving something like this.
So to use google account access token to authenticate and authorize your app user against your own services you have to follow following steps.
Create a project in Google Cloud Console with two components (Create components by clicking on "APIs $ Auth >Credetials" option on left pane ). First component will be your web component (e.g. web-services) and second component is your android application.
Try to get access token by querying account manager in android app by executing GoogleAuthUtil.getToken() method by passing the current context, email id(queried using account manager) and scope as ("audience:server:client_id:").
Where is the "Client ID" parameter of the web component available under the project created on Google Cloud Console.
The method will return you the ID token encoded as JSON web token or JWT.
This ID token everything that a app would require to authenticate user on server.
The ID token consists of following parameters
iss: always accounts.google.com
aud: the client ID of the web component of the project
azp: the client ID of the Android app component of project
email: the email which identifies the user requesting the token, along with some other fields.
Pass this token to your web component (e.g. web services) over https(mandatory) where the web component and Android component client id's are already stored.
After decoding the received JWT ID token on server, check if "aud" parameter of the token and stored web component client id are equal and hence authenticate the user.
User identity can be fetched by reading the email parameter of JWT ID token which specifies the email id provided to access the Id token in android application while executing GoogleAuthUtil.getToken() method.
Note : The ID token on android can only be fetched by executing GoogleAuthUtil.getToken() if it is the same application singed by same certificate specified while creating android component under the project on Google Cloud Console.
More information can be found on "https://developers.google.com/accounts/docs/CrossClientAuth"