0

According to the Mobile App Google documentation, there is a parameter named redirect_uri which is not clear to me. For example, in the Web App flow of Google OAuth2, the procedure is some communication between front-end, back-end, and google server. In fact, the backend prepares two endpoints one for redirecting to the google auth page which will be called by the frontend, and another endpoint is /oauth2callback which will be called by the google server as a redirect_uri.

My question is, what's the redirect_uri in the Mobile App flow? Is it the same with my backend /oath2callback or Mobile App flow doesn't need any backend part?

[NOTE]:

Actually, I am going to receive credential stuff from the mobile side including access_token, refresh_token, etc, into the backend and store it into the db and use it for calling google API on the server side.

[UPDATE]

Here's the flow I've implemented:

enter image description here

Benyamin Jafari
  • 27,880
  • 26
  • 135
  • 150

2 Answers2

0

The redirect uri is actually not differentiated by whether it's backend or frontend.

When you create authz credentials in Google, you're supposed to define the redirect method and the uri itself. Here's the type google suggests from the doc you linked:

Custom URI scheme (Android, iOS, UWP) A custom URI scheme is recommended for Android apps, iOS apps, and Universal Windows Platform (UWP) apps.

The uri scheme tells the OS that when it sees a matching url, open a particular app (rather than the browser).

Obviously, if you're using the mobile phone's web browser for the flow, then you needn't worry about the custom scheme. This is even the preferred method in the native apps rfc.

akdombrowski
  • 673
  • 4
  • 9
  • actually, I want to receive the user's google token from the mobile side and store it into the db on the server side and use them whenever I want to call a google API using that tokens per each user. So for this scenario, should I create a web flow credentials in google developer console and use its `client_id`, and the backend `/oauth2callback` as `redirect_uri`? I've done this scenario for front-end and backend by the mentioned procedure but I am not sure about mobile. – Benyamin Jafari Jul 24 '22 at 19:34
  • apparently, the mentioned flow in your link is used for calling the google APIs from the client app itself, not on the server side. – Benyamin Jafari Jul 24 '22 at 19:50
  • If you're looking to enable your server to make calls on behalf of your user, Google has a separate guide for that. It's not strictly OAuth. https://developers.google.com/identity/sign-in/android/offline-access – akdombrowski Jul 25 '22 at 00:20
  • Yes, that is what I want. But, I think the link mentioned follows this [flow](https://ghost.hacksoft.io/content/images/size/w1000/2021/05/Google-OAuth-FE-flow@2x.png) in which the client-side gets `authorization code` from google, then sends it to server-side by the second request for exchanging `authorization code` to `access_token` then I can store it into db. However, I think there is a better flow that I've updated my post with that in which the client-side calls google for authorization code, and google calls my server-side callback itself by the defined `redirect_uri` in the request. – Benyamin Jafari Jul 25 '22 at 04:50
0

I think what you want to achieve can be done in the following way:

Implement the Authorization Request on the Mobile app, and set redirect_uri in a way that redirects back to your app, i.e: claim that url with your app. When you get the auth code in your app, send that auth code to your backend, and do the token request from your backend. That way, you'll have all tokens on the backend.

The flow is:

  1. Authorization Request from mobile app to OAuth provider (e.g: Google).
  2. Google responds with auth_code to your mobile app.
  3. Send that auth_code to backend (this is your own Token Request route).
  4. Do the Token Request on backend with the auth_code and get access_token and refresh_token -- here you have the possibility to store it.
  5. Respond to the mobile app with the desired token so it can use it for authentication/authorization.
f4z3k4s
  • 966
  • 7
  • 13
  • I got your points and If I truly understood you are following this [flow](https://ghost.hacksoft.io/content/images/size/w1000/2021/05/Google-OAuth-FE-flow@2x.png)? isn't it? But I think I can do that with fewer requests, I mean the flow which I updated my question with that: the client-side calls google for authorization code, and google calls my server-side callback itself by the defined `redirect_uri` in its request. so in the backend, I will have the code and then I will exchange it with an access token and refresh token. what's your opinion about that? – Benyamin Jafari Jul 25 '22 at 13:02
  • 1
    Yeah, that flow is correct that you linked. Your method: then what happens in your application? Your app keeps hanging redirected out to google which never calls back to your app. – f4z3k4s Jul 25 '22 at 13:06
  • Actually, I want only my android app to do the google authentication stuff, not more. I want the app to prepare authentication stuff to be sent toward the server-side and then I create google calendar events using google API and the access token for each user on the server-side in some actions. – Benyamin Jafari Jul 25 '22 at 16:24