I implemented this: http://android-developers.blogspot.fi/2013/01/verifying-back-end-calls-from-android.html and then wanted to make the app ask the full name of the user from google servers.
I can get the id_token all right, pass it to the backend, verify it and get the user id and email from the token, but I don't seem to be able to find any way to turn the id_token to a token I could use to authenticate on google servers and request personal info from the profile scope. The google apps-app has the permissions to use the scopes, so as soon as I can understand how to get an auth-token, asking the info shouldn't be a problem.
Is it at all possible to access the google servers with this token, or must I ask for a separate auth token for the personal info.
You should ask for a separate auth token for the personal info. The user has to explicitly grant permission for your app to see things like their name, gender, etc.
Related
In my app I use AccountPicker.newChooseAccountIntent() to get the user to select an account and then use GoogleAuthUtil.getToken() to obtain an auth token for that account.
This is all done without requiring the GET_ACCOUNTS permission on Marshmallow.
The problem I have after moving to API 23 is that I cannot detect when the selected account is no longer valid because AccountManager.getAccountsByType() returns an empty list for google accounts as I do not have the GET_ACCOUNTS permission.
It is quite annoying to have the ability to select and authenticate using a google account without GET_ACCOUNTS, but lack the ability to detect when the account is no longer valid.
Does anyone know how to detect when the account is no longer valid?
You shouldn't be using GoogleAuthUtil.getToken() at all, nor AccountPicker.newChooseAccountIntent(). As per the Improving the Security and User Experience of your Google Sign In Implementation blog post, getToken() is vulnerable to a token substitution attack.
You should follow the migration guide to use Google Sign In and the requestIdToken() flow. This allows you to 1) know what account is signed in 2) know when that account is no longer valid and 3) still get tokens needed to authenticate with Google services.
My android app logins with Google Plus, I am trying to integrate it with Cognito. When I run the app, it gives me Cognito Credential Provider ID, and when I login with Google Plus it gives me Google token. I checked my AWS Cognito, and it shows me this.
Unauthenticated connections 3
Google Sign-in 0.
But when it signs in properly with Google, and also provides me Google Token, then where I am doing wrong?
EDIT 1: Here is my code:
Login with Google Plus
Cognito Sync Client Manager
In the future, you may want to include relevant code from your application to better help others assist you.
Have you followed the guide for integrating identity providers?
It's also important to note that the CredentialsProvider does lazy loading, meaning simply adding the token to the provider does not associate the identity. To ensure the token is actually linked to the identity, you can either:
Make a call to another service (for instance the SyncManager) that using this provider (recommended)
Explicitly call refresh on your CredentialsProvider. (only recommended for testing purposes)
Edit 1
Did you add the tests I suggested in my original answer? If so, what if any errors did you receive?
You may want to try some of the following steps to verify your configuration:
Inspect the token via jwt.io. Validate that the azp field of the token matches the value entered into the Cognito console.
Create an OpenId Connect provider via the IAM console, adding all client ids from the Google console. Use this provider instead of the basic Google+ integration in your Amazon Cognito identity pool.
I want to develop an Android Application that allows users to sign in with their Google Accounts (i think it's always an email address) instead of forcing the user to create a new one. I have 3 questions regarding this:
When the user starts the application for the first time i'll have to use the AccountManager, right? If the user has only one com.google account i'll use that one, if not, i'll ask him which one he wants to use. My question is, can i be sure that every com.google account in the AccountManager has been properly authenticated and the application can be sure that the user is who he says he is so that i don't have to ask him to choose the account every time the application launches?
The application will have a server that will store on a database what restricted content the user has unlocked, that's why it needs the Google Account, to match the foreign key of the user with the foreign key of the content to know what that user has unlocked. How do you suggest i save the Google Account in the database as the user table's primary key? I could store the email of the Google Account, but isn't there any privacy problems with that? What else can i use? I suppose there is no Facebook ID-like integer value for Google Accounts.
Do i need to use OpenID or oAuth 2.0 for any of these operations i've mentioned? I'm asking this because when the application doesn't have internet connection i want the user to still be able to access the restricted content he unlocked and previously downloaded into the phone. If i use OpenID that requires internet connection right? So the user shouldn't be able to enter the application and that's not what i want.
Thanks
Using the account manager to check which accounts are available on the phone and ask the user which account he want to use sounds like a good idea. I think it's a good idea to use OAuth 2.0 and grab the OAuth 2.0 access token for userinfo in your client application (https://www.googleapis.com/auth/userinfo.profile is probably the scope you want to use) and send this to your server when the client communicates with the server. Then using the userinfo Google API your server can use the access token to make sure the user is who he claims to be. With this api you can get hold of the user id which you can use instead of the user's email.
Getting the auth token will require internet access, but since it's only needed when you communicate with your own server you can grab the token at that time.
I'm not 100% sure if the accounts given by the AccountManager can be trusted, but it will provide you with the google accounts available on the phone and I don't know of any way of adding an account to the phone without having access to the account. If this was possible it would be a really big security issue as well so I think you can trust that the accounts given by the AccountManager are authentic.
When you get the OAuth 2.0 token on the client I suggest you use the Google Play's GoogleAuthUtil instead of the account manager if it's possible. For more details on this see: In a nutshell what's the difference from using OAuth2 request getAuthToken and getToken
Is there a way I can use Google credentials to get basic user info like
Email, Name, Gender
and use them in my application? Its like allowing user to login into my application using Gmail.
I asked the same here.
But the answer says:
You should not use Gmail for user authentication using Google
accounts. You can use Google + Sign-in for Android instead. This will
allow you to access the user's profile information upon getting the
required permissions using OAuth. Check out the guide here:
which i followed and everything worked fine.
But if a Gmail account has no GooglePlus profile, My application asks to create a GooglePlus account. Which makes me think I implemented a GooglePlus Login instead of Gmail Login.
Is the answer for my other question right? Meaning without a GooglePlus profile you cannot have a Gmail Login in Android?
If not how can I have a Google Login in my application?
A similar question here, with no replies.
Please help. Thank You
Try article on this Url : http://nilvec.com/implementing-smtp-or-imap-xoauth-authentication-in-java.html.
I think this will help you
I wouldn't confuse a "gmail" account and a "Google+" account as being different things. Really what you want is for a user to authenticate with their "Google account", which spans many services.
On Android, the easiest way to build authentication with Google accounts is to use the Google Play Services SDK, which includes services like Google sign in.
Google+ documents an end-to-end approach to using Google Play Services SDKs that cover the issues that you asked about by using the PlusClient:
Setting up the client
Getting the user's email address using either PlusClient.getAccountName() or the REST methods.
Getting the user's profile info using the PlusClient.loadPerson()
Documentation for using Google's OAuth2 to authenticate a user are provided at https://developers.google.com/accounts/docs/OAuth2Login. As the page notes, however, you and your users get additional features if they use a Google+ account and the Google+ Sign-in, but this is not necessary.
The scopes required are
https://www.googleapis.com/auth/userinfo.profile for name and gender
https://www.googleapis.com/auth/userinfo.email for the user's email address
Update: I should amend that these scopes are now deprecated, and scheduled for removal. See the URL above for details.
I'm using the Android AccountManager to authenticate a users google account for access to Google Drive. However, I want to allow the user to access Drive accounts that are not on their phone. For example, I have a work google account that is not on my phone, but I would like to use in my app. Is there a way to allow users to authenticate accounts that are not necessarily stored in the AccountManager?
Thanks
Perhaps you could add another Google account to phone and allow user to select which account to use. If this option doesn't satisfy you and you really want to authenticate to Google Drive accounts not on phone you must then use OAuth.
If you also really, but really, want to use AccountManager facility in your app you have to make an account type that behaves like the following:
When you create a new account you open a browser widget and perform an OAuth cycle with Google Drive, then store the token in secure store
When you request a token via getAuthToken() it either releases you the stored token or triggers a token refresh cycle using OAuth
This has its security drawbacks: better perform OAuth cycle without AccountManager and store tokens in app memory