8

I'm writing an Android application, which uses AccountManager to get the token. From an android app I'm able to interact with Google Picasa - it works fine.

What I would like to achieve is the following: send some text + authToken to my third party server, then check if the token is correct before saving the text. Now the question is: is it possible to determine if the authToken of a particular token is correct solely on the token itself (and maybe email address).

I've already programmed the server part, which accepts the token (send from android application), then issues a request to an URL address:

https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%

What I get back is the following JSON:

{
  "error" : "invalid_token"
}

But the link here http://oauthssodemo.appspot.com/step/4 states that if a token is correct I should receive a different JSON response. Can you tell me what I'm doing wrong: I believe that the way to check token's validity really isn't that simple, but I should rather implement the whole openid or something. Even if that is the case, how can I check whether the token send by android app is correct, so I can save the 'text' part of the message.

Thank you.

eleanor
  • 1,514
  • 3
  • 19
  • 40

5 Answers5

7

Stop using AccountManager and start using Google Play service’s GoogleAuthUtil class, then it gets easy. See http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html

Tim Bray
  • 1,653
  • 11
  • 16
  • I've been looking on and off for a couple weeks now on how to ensure requests to my server (which serves content for my Android app) are coming from my Android app, and it looks like this is a perfect solution. Thank you for posting this!! – The Awnry Bear Jun 03 '13 at 05:57
  • Hey Tim, I'm working that example you linked to which is very straightforward. I only have one question; it says to use `GoogleAuthUtil.getToken()` to get an ID token, but what value do I pass for the `accountName`? I know I can retrieve the authenticated Google accounts for the device, but if there's more than one how do I know which to use? Sorry if the answer is obvious, but I can't figure this one part out. – The Awnry Bear Jun 04 '13 at 03:23
  • 2
    Probably too late on this, but use the AccountPicker class to let the user choose an account, and that will give you the accountName – Tim Bray Jun 15 '13 at 04:59
  • Actually no, I haven't had time to work on this problem until now. Thanks for answering. :) I was hoping there was a way to avoid bugging the user (even though it's just once, after they've first installed). Oh well. One last question; if there's only a single Google account returned, is there any need to show the AccountPicker? I can't see why there would be... just want to make sure. Thanks again, Tim. – The Awnry Bear Jun 16 '13 at 11:32
  • 1
    Hey Tim, I have the id token from GoogleAuthUtil.getToken() which I pass to my web server through the Header Bearer. I am all new to oauth and Google Pla service. Your article said to verify token is coming from my app. What should I do on my php server endpoint when called from my android app with said Header Bearer token? I am having trouble finding docs for google-api-php-client/src/Google_Client.php or google-api-php-client/src/contrib/Google_PlusService.php explaining verification. What do I do to just verify the token and get the user_id from it? – Sunny Jul 04 '13 at 01:53
  • @Sunny The Header Bearer is only for OAuth2 Access Tokens (ex: when calling Google APIs). To interpret the Header Bearer you need to have an OAuth2 Service Provider implementation on your backend. The article that Tim mentions deals with ID Tokens used for authenticating the users. A totally different thing (and much simpler than OAuth2 authorization on the backend). – ddewaele Jul 23 '13 at 01:17
2

The solution is as follows. You can verify the token via this url:

https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%

But in my case I was trying to validate "Authorization code" and not "Access token" as you can see here: https://code.google.com/oauthplayground/

If you're using Android and OAuth don't use 

lh2

but rather use the following as service name:

http://picasaweb.google.com/data/

So you should call getAuthToken as follows 

getAuthToken(account, "http://picasaweb.google.com/data/" , true, null, null);

Then you can validate the token received from this call on the URI posted above.

eleanor
  • 1,514
  • 3
  • 19
  • 40
1

read this https://developers.google.com/accounts/docs/OAuth2WebServer

After the web server receives the authorization code, it may exchange the authorization code for an access token and a refresh token. This request is an HTTPs post, and includes the following parameters:

terentev
  • 654
  • 1
  • 8
  • 10
  • Hi, that's just the fields I get in a response, which was always working and wasn't part of the question. The question was how to validate the token once I've already got it. And the problem has been resolved as you can see by the green OK. – eleanor Jul 19 '12 at 18:17
1

I came across passport-google-token passport strategy which perfectly performs the task.

https://www.npmjs.com/package/passport-google-token

More details are present in the above link.

Rakesh Yarlagadda
  • 31
  • 1
  • Links tend to break over time. Please provide a short summary of what is in the link. See https://stackoverflow.com/help/referencing . –  Mar 27 '15 at 07:56
0

Based on information in this answer: What is the proper way to validate google granted OAuth tokens in a node.js server? ,

you might try using id_token instead of access_token in the url to call Google's tokeninfo endpoint.

Community
  • 1
  • 1
Anton I. Sipos
  • 3,493
  • 3
  • 27
  • 26