4

I've been beating my head against the wall for about two days now, time to ask for help.

I've been trying to get my head around the following:

A mobile app user signs in on the app using one of the following:

  • Google
  • Facebook
  • etc...

I'll focus on Google first, the login works (user consents to permission). The app then retrieves a token: GoogleAuthUtil.getToken(mActivity, mEmail, mScope); Where the scope will be of the form audience:server:client_id:XXXXXX And XXXXXXX is the client_id of my webservice.

(The mobile app is also registered on Google Console and it's in the same project as the webserver)

Next the app sends the retrieved token to my webserver where the server can get the payload using $client->verifyIdToken( $id_token );. My server is using the Google API Client.

But I now wish to use this to let the server retrieve userdata from google, without requesting the user for further permissions (because they already gave the app the permissions). So how do I get from the payload to requesting userdata from google?

I'm still entertaining the idea that I might be completely misunderstanding this whole Oauth2.0 / SSO proces, so any pointers are deeply appreciated!

Frank van Luijn
  • 470
  • 4
  • 16

1 Answers1

0

The only userdata you get with the audience:server:client_id:XXXXXX scope is the user's email address, which is the email field in the JSON encoded $id_token you've received on your webserver (this blog post has the Java/Ruby equivalents, I assume there's a similar helper function for PHP).

If you need additional userdata outside of their email address, you'll need to requeset an additional scope, such as one of the Google+ API Scopes or the legacy Google Profile API Scope.

ianhanniballake
  • 191,609
  • 30
  • 470
  • 443
  • The blog post you mentioned points to a PHP solution as well (all the way at the bottom), that's the one I'm using. If I generate the token with other scopes as you mentioned, my webserver can't handle the token: `Error fetching Oauth2 access token: unauthorized client`. Or do I need a scope like `oauth2:https://www.googleapis.com/auth/userinfo.profile audience:server:client_id:XXXXXX` ? You're help is much appreciated! – Frank van Luijn Apr 23 '13 at 15:13
  • Using both scopes gives an error of `INVALID_SCOPE`, I think my main problem is that I don't quite understand how the interaction goes between app and server. Am I correct is assuming that the app gets a token from Google embedded withsome permissions, sends it to the server and the server uses the token to perform the permitted actions? – Frank van Luijn Apr 23 '13 at 15:27
  • If you are using multiple scopes, you separate them with a space (with only `oauth2:` in front of the first one) in your `GoogleAuthUtil.getToken` call as per http://android-developers.blogspot.com/2012/09/google-play-services-and-oauth-identity.html One thing to note is that the `audience:server:client_id` scope does not require any user interaction, but all other scopes require user authorization and permission dialog(s). The link in this comment also goes through that process. – ianhanniballake Apr 23 '13 at 15:54
  • Thank you! That authorization header was the final missing piece :D – Frank van Luijn Apr 23 '13 at 16:35