5

Before I dig into the details of implementing this particular design, I wanted some advice/validation on whether I was approaching it correctly. I have a beginners knowledge of Android, advanced beginner in Python, GAE, and OpenId.

Environment

  • Android application
  • Web Services built in Python on Google App Engine
  • User(s) with Google Account

Scenario

I want to enable sign-in capabilities in my Android application without writing my own authentication system in GAE. Within the app, the user should be able to play as a guest without the ability to save high scores. If a user would like to have his high scores saved, he would authenticate against his Google account on the Android device. At the end of the game, the authenticated users high score would be saved (associated with his Google Account) via the game's web services on Google App Engine. The user should also be able to sign-out and hand the device to a friend who could also log in, play a game, and save her high scores associated with her Google account.

Design

  1. In the Android application, use OpenId for authentication whenever the user wishes to sign-in (using something along the lines of what Nick has posted here.
  2. Grab the OpenId token from the cookie that is returned and associate it with the current user.
  3. Make a web service call to the GAE services adding the token as a cookie and including the high score
  4. The web service would authenticate that the token is valid
  5. The web service would determine the unique Google accounts id associated with the token (don't know how to do this, but assuming there should be a means to do this) and lookup that unique id against a cross reference table to find the users in-game id (which was previously created during account setup)
  6. Save the high score associated with the in-game id.
  7. Allow logout so another user can login to the game with their Google Account and repeat above process

Thank you for your help

Erds
  • 513
  • 5
  • 16
  • possible duplicate of [Looking to build a Android App, which syncs to App Engine datastore (python)](http://stackoverflow.com/questions/6939087/looking-to-build-a-android-app-which-syncs-to-app-engine-datastore-python) – Nick Johnson Aug 19 '11 at 04:14
  • 1
    or [this](http://stackoverflow.com/questions/5995277/app-engine-connected-android-app) or [this](http://stackoverflow.com/questions/1935056/is-it-possible-to-use-the-google-app-engine-as-a-backend-database-for-android-app). – Nick Johnson Aug 19 '11 at 04:15
  • Not really duplicates of those articles. This is specifically about the security with the particular piece that i have not seen addressed is how you can hand off your phone to a friend and let them log in to their account to play. – Erds Aug 23 '11 at 02:16

2 Answers2

4

You might find the 2011 Android + App Engine IO talk helpful.

Robert Kluin
  • 8,282
  • 25
  • 21
0

I would look at Google's OpenID instead of OAuth. OpenID is the protocol for a federated login. See Google's information on OpenID.

Mark S.
  • 3,849
  • 4
  • 20
  • 22
  • So if i replace every OAuth with OpenID above, does the flow make sense? – Erds Aug 18 '11 at 18:18
  • There's a [good flow] (http://code.google.com/apis/accounts/docs/OpenID.html#Interaction) at the google site. It walks you through the whole interaction. – Mark S. Aug 19 '11 at 00:30
  • Sure, the thing I am still concerned about is how someone can hand their phone to a friend and let them log in to play the game. will the android accountmanager allow that? – Erds Aug 23 '11 at 02:17
  • I believe (but am not an expert) that Android Account manager allows you to have multiple Google Accounts. You would just need a way in the application to pick which account is the one to use. – Mark S. Aug 23 '11 at 05:03
  • i'm looking into it and will add what i find to the question – Erds Aug 24 '11 at 11:48