I am working on an Android app which uses google authentication.
I have this code segment:
try {
String token = GoogleAuthUtil.getToken(main, id, "oauth2:profile");
TRC.debug("google token=" + token);
return token;
} catch (UserRecoverableAuthException e) {
main.startActivityForResult(e.getIntent(), 15); // TODO const for 15
I would like to test the catch branch. When I've tried it first I got the google authentication Activity displayed. But when I tried it next time the UserRecoverableAuthException hadn't thrown.
How is it possible to force the app to log out from google?
Related
i'm trying to integrate 'Log in with Google' in app that have an android and web component. Everything in the web component is working fine with the following steps:
1. Rendering the view with an anti-forgery token, client id and app name.
$state = md5(rand());
Session::set('state', $state);
$this->view->render('login', array(
'CLIENT_ID' => 'my_web_client_id',
'STATE' => $state,
'APPLICATION_NAME' => 'my_app_name'));
2. When user clicks on the Google's SignIn button, obtain the one-time code from Google's servers and send it to my server.
3. After my server receives the one-time code using https://github.com/google/google-api-php-client to authenticate the user with that code.
if ($_SESSION['state'] != $_POST['state']) { // Where state is the anti-forgery token
return 'some error';
}
$code = $_POST['code'];
$client = new Google_Client();
$client->setApplicationName("my_app_name");
$client->setClientId('my_web_client_id');
$client->setClientSecret('client_secret');
$client->setRedirectUri('postmessage');
$client->addScope("https://www.googleapis.com/auth/urlshortener");
$client->authenticate($code);
$token = json_decode($client->getAccessToken());
// Verify the token
$reqUrl = 'https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=' . $token->access_token;
$req = new Google_Http_Request($reqUrl);
$tokenInfo = json_decode($client->getAuth()->authenticatedRequest($req)->getResponseBody());
// If there was an error in the token info, abort.
if ($tokenInfo->error) {
return 'some error';
}
// Make sure the token we got is for our app.
if ($tokenInfo->audience != "my_web_client_id") {
return 'some error';
}
// Saving user in db
...
// Load the app view
Now, for android client should be something similar, right? Following these tutorials:https://developers.google.com/+/mobile/android/sign-in and http://www.androidhive.info/2014/02/android-login-with-google-plus-account-1/
Executing async task in onConnected method
class CreateToken extends AsyncTask<Void, Void, String> {
#Override
protected String doInBackground(Void... voids) {
oneTimeCode = getOneTimeCode();
String email = getUserGPlusEmail();
try {
// Opens connection and sends the one-time code and email to the server with 'POST' request
googleLogin(oneTimeCode, email);
} catch (IOException e) {
e.printStackTrace();
}
return oneTimeCode;
}
}
private String getOneTimeCode() {
String scopes = "oauth2:server:client_id:" + SERVER_CLIENT_ID + ":api_scope:" + SCOPE_EMAIL;
String code = null;
try {
code = GoogleAuthUtil.getToken(
LoginActivity.this, // Context context
Plus.AccountApi.getAccountName(mGoogleApiClient), // String accountName
scopes // String scope
);
} catch (IOException transientEx) {
Log.e(Constants.TAG, "IOException");
transientEx.printStackTrace();
// network or server error, the call is expected to succeed if you try again later.
// Don't attempt to call again immediately - the request is likely to
// fail, you'll hit quotas or back-off.
} catch (UserRecoverableAuthException e) {
Log.e(Constants.TAG, "UserRecoverableAuthException");
e.printStackTrace();
// Requesting an authorization code will always throw
// UserRecoverableAuthException on the first call to GoogleAuthUtil.getToken
// because the user must consent to offline access to their data. After
// consent is granted control is returned to your activity in onActivityResult
// and the second call to GoogleAuthUtil.getToken will succeed.
startActivityForResult(e.getIntent(), AUTH_CODE_REQUEST_CODE);
} catch (GoogleAuthException authEx) {
// Failure. The call is not expected to ever succeed so it should not be
// retried.
Log.e(Constants.TAG, "GoogleAuthException");
authEx.printStackTrace();
} catch (Exception e) {
throw new RuntimeException(e);
}
Log.e(Constants.TAG, "ONE TIME CODE: " + code);
return code;
}
After obtaining the code successfully, send it to my server for authentication.
And here's the code on the server:
$code = $_POST['code'];
$client = new Google_Client();
$client->setApplicationName("my_app_name");
$client->setClientId('my_web_client_id'); // Web component's client id
$client->setClientSecret('client_secret'); // Web component's secret
$client->addScope("email");
$client->setAccessType("offline");
$client->authenticate($code);
...
And the problem is that authentication works only once every 10-15 minutes. When trying to obtain the one-time code more than once in 10-15 minutes, i get the same code as the last one(Clearly there is something wrong. This happens only with the android client and i'm getting this error: Error fetching OAuth2 access token, message: 'invalid_grant: i'). Couldn't find anyone with the same problem here in SO. Probably i'm doing something wrong, but can't figure out what is it...Any help would be appreciated.
You shouldn't be sending the code each time. On the web this is kind of OK as when you first consent you'll get a code that gives you offline access (you'll see a refresh token in the response when you exchange it) but in future cases you wont. On Android, you get a code that gives you a refresh token every time, which means you'll need to show the consent every time, and you're likely to run into per-user limits or cache issues (as you seem to be).
The magic extra component you need is a thing called an ID token. This you can get easily on both platforms and tells you who the person is. Take a look at this blog post for more: http://www.riskcompletefailure.com/2013/11/client-server-authentication-with-id.html
The limitation with an ID token is that you can't use it to call Google APIs. All it does is give you the Google user ID, the client ID of the app being used and (if email scope is used) the email address. The nice thing is that you can get one really easily on all platforms with less user interaction, and they're cryptographically signed so most of the time you can use them without making any further network calls on the server. If you don't need to make Google API calls (because you're just using it for auth) this is the best thing to use by far - given that you're just getting the email, I would be inclined to stop here.
If you need to make Google API calls from your server though, then you should use the code - but just once. When you exchange it, you store the refresh token in a database keyed against the user ID. Then, when the user comes back you look up the refresh token and use it to generate a new access token. So the flow would be:
First time:
Android -> Server: id token
Server -> I have no refresh token!
Android -> Server: code
Other times:
Android -> Server: id token
Server - I have a code, and can make calls.
For the web, you can use the same flow or carry on sending the code each time, but you should still keep the refresh token in the database if the response contains one.
I'm trying to develop an app with client-side Google oAuth2.0 authorization for my back-end. I've done all the work needed on the Google developer console.
Google keeps asking for offline access whenever the app requests an authorization token with GoogleAuthUtil.getToken(). I'd like to give the permission once and for all, so the authorization process becomes silent.
Here is the code I use in my authorization AsyncTask.
protected String doInBackground(String... arg0) {
String token = null;
try {
token = GoogleAuthUtil.getToken(mainActivity, mEmail, "oauth2:server:client_id:"+clientId+":api_scope:https://www.googleapis.com/auth/plus.login");
} catch (GooglePlayServicesAvailabilityException playEx) {
Dialog dialog = GooglePlayServicesUtil.getErrorDialog(
playEx.getConnectionStatusCode(),
mainActivity,
1001);
dialog.show();
} catch (UserRecoverableAuthException recoverableException) {
Intent recoveryIntent = recoverableException.getIntent();
mainActivity.startActivityForResult(recoveryIntent,1001);
// Use the intent in a custom dialog or just startActivityForResult.
Log.e("Auth", "Recoverable authentication exception: " + recoverableException.getMessage(), recoverableException);
} catch (GoogleAuthException authEx) {
// This is likely unrecoverable.
Log.e("Auth", "Unrecoverable authentication exception: " + authEx.getMessage(), authEx);
} catch (IOException ioEx) {
Log.i("Auth", "transient error encountered: " + ioEx.getMessage());
}
return token;
}
Ok, so I finally found something that could help any of you still struggling with this issue.
I changed the scope to something like this:
"audience:server:client_id:" + clientId
That's it. It works, even if the "plus.login" scope is not specified.
Hope this helps!
I am creating an App Engine project, and I want authenticated access from Google+.
I am now getting the token from the user in this way:
try {
String G_PLUS_SCOPE = "oauth2:https://www.googleapis.com/auth/plus.me";
String USERINFO_SCOPE ="https://www.googleapis.com/auth/userinfo.profile";
String SCOPES = G_PLUS_SCOPE + " " + USERINFO_SCOPE;
token = GoogleAuthUtil.getToken(MainScreenActivity.this, mAccount.name, SCOPES);
} catch (UserRecoverableAuthException e) {
startActivityForResult(e.getIntent(), 3);
}
This works, I catch the UserRecoverableAuthException if I have no permission and ask the user with the StartActivityForResult()
But I want to test it some more, looked for a way to revoke the access, but my app is not to be found here: https://security.google.com/settings/security/permissions
How can I revoke the access?
I want to post score points using facebook graph api, from my android application
I create android app in facebook developers page. I set to Native Android App , and I set Mobile Web settings like on image below
In android code I user this permissions for my app:
String[] permissions = {"publish_stream","publish_actions","user_games_activity","friends_games_activity"};
After successful login on facebook, I try to post score points to facebook using this android code
Bundle params = new Bundle();
params.putString("score", "100");
//params.putString("access_token", "token as constant");
String response = "null";
Utility.mFacebook.setAccessToken("token as constant");
try {
response = Utility.mFacebook.request("user_id/scores", params, "POST");
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
And I receive this response:
{"error":{"message":"(#15) This method must be called with an app access_token.","type":"OAuthException","code":15}}
I get same error if I use Graph API Explorer:
In facebook settings ->Apps -> AppName -> Advanced->App Type is set to "Web" (I also try with Native/Desktop but I get same error)
Can anyone help me and tell me how to sent score from my android app to fb?
Thanks
"(#15) This method must be called with an app access_token."
Looks like you tried with an user access token.
See https://developers.facebook.com/docs/authentication/applications/ on how to get an app access token.
I need to obtain OAuth2 authentication token to pass it to the server so it can fetch list of Google Reader feeds for the user. Server is .NET - I have no access to it or to it's code but most likely it is using unofficial Reader API
I was able to use Android Account manager to obtain valid token for this purpose with the following code (notice that authTokenType="reader")
Account account = accounts[0];
manager.getAuthToken(account, "reader", null, this, new AccountManagerCallback<Bundle>() {
public void run(AccountManagerFuture<Bundle> future) {
try {
// If the user has authorized your application to use the tasks API
// a token is available.
String token = future.getResult().getString(AccountManager.KEY_AUTHTOKEN);
// Now you can send the token to API...
cacheManager.putString(GOOGLE_AUTH, token);
GoogleReaderManager.startAddFeedActivity(AddGoogleReaderSourcesActivity.this);
finish();
} catch (OperationCanceledException e) {
Log.e(TAG, "User cancelled", e);
finish();
} catch (Exception e) {
Log.e(TAG, "Failed to obtain Google reader API_KEY", e);
}
}
}, null);
The code above works fine when I send token to the server side .Net app: the app is able to retrieve the list of Reader feeds.
The problem is that this only works for "Google inside" devices. On Nook I have no such luck since there's no way that I was able to find to add Google account to the account manager. So I'm trying to it using OAuth 2 protocol as described here
It works fine as far as obtaining the token: User approves the app from the mobile page which returns the code token which then mobile app exchanges for the Auth token. However this token will not work with the server process. I have a feeling that perhaps I'm using the wrong scope in this URL:
https://accounts.google.com/o/oauth2/auth?response_type=code&scope=https://www.google.com/reader/api/0/subscription/list&redirect_uri=http://localhost&approval_prompt=force&state=/ok&client_id={apps.client.id}
Scopes that I did try in various combinations:
https://www.google.com/reader/api
https://www.google.com/reader/api/0
https://www.google.com/reader/api/0/subscription/list
https://www.google.com/reader/api+https://www.google.com/reader/atom
Here's example of JSON that is returned from get token POST
{"expires_in":3600,
"token_type":"Bearer",
"access_token":"ya29.AHES6ZSEvuUb6Bvd2DNoMnnN_UnfxirZmf_RQjn7LptFLfI",
"refresh_token":"1\/bUwa5MyOtP6VyWqaIEKgfPh08LNdawJ5Qxz6-qZrHg0"}
Am I messing up scope or token type? Not sure how to change a token type. Any other ideas?
P.S. Google account login page asks: Manage your data in Google Reader, that's why I suspect that the scope is wrong
I got it working for https://www.google.com/reader/api/0/subscription/list. So thought of sharing with you.
I have valid access_token:
This is what i tried to resolve it (partially) :
Google provides OAuth 2.o playgound; where they actually simulate all aspects of OAuth 2.0 as well as final API call to fetch data.
I found this very helpful as it clearly shows what is being sent to request.
Here is the URL : https://developers.google.com/oauthplayground/
Using this, i tweaked my api call below and it works :)
public static String getReaderContent(String accessToken){
String url = "https://www.google.com/reader/api/0/subscription/list" ;
HttpClient client = new HttpClient();
GetMethod method = new GetMethod(url);
String response="";
method.setRequestHeader("Authorization", "OAuth "+accessToken);
try {
int statusCode = client.executeMethod(method);
String response= method.getResponseBodyAsString();
System.out.println("response " + responseStr);
} catch (HttpException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return response;
}
So this works properly fine for getting subscription list; but have not been able to make it work for reader api which you have mentioned in your question.
Let me know if you have got way around google reader API.