Android AppEngine Endpoints Auth and InApp Billing

Question

I have ran into a tricky problem.

I am using Appengine Endpoints to implement my server side API. This API returns some data to my users. Application supports in app products purchases. My idea is simple: as soon as user purchases a certain product API will return additional data. The straightforward approach is passing a flag as a parameter to API. But I want to make it more secure by enabling OAuth authentication to my endpoints. So as soon as user purchases something it is verified and remembered on a server. Thus my API endpoint will always know what data to return to a particular user.

The problem however is the following. I don't want to force users authenticating unless they want to make a purchase. But then there is a situation that users may use another device and not login using their google account through my app. This way my API will return only free data, but the user has paid products bought. I can query purchased products via play services, but I still need to either auth on my server or pass a flag to get full data.

How are these things usually done? Can I silently use users first Google account (which is afaik guaranteed to be the on Play Store uses) to auth on my server or is this wrong?

Thanks.

Answer 1

You should use OAuth 2.0 for what you mentioned.

You can use the first Google account allowing authentication on your serve side. OAuth 2.0 is a great tool that simplifies and get developers an easy way to allow users to access your application, might it be a game or trade platform. The OAuthHmacSigner object will manage the authentication for you as it got initialized:

signer = new OAuthHmacSigner();
signer.clientSharedSecret = Constants.CONSUMER_SECRET;

Then the Android activity uses the following code to launch the OAuth flow :

launchOauth.setOnClickListener(new View.OnClickListener() {
    public void onClick(View v) {
        startActivity(new Intent().setClass(v.getContext(),
                PrepareRequestTokenActivity.class));
    }
});

To implement it for your App, you can integrate OAuth 2.0 Google OpenID using Java, but also you can choose to use Python or Ruby instead. It provides several tools to increase security, making it also easy to build an anti-forgery state token:

String state = new BigInteger(130, new SecureRandom()).toString(32);
request.session().attribute("state", state);
return new Scanner(new File("index.html"), "UTF-8")
  .useDelimiter("\\A").next()
  .replaceAll("[{]{2}\\s*CLIENT_ID\\s*[}]{2}", CLIENT_ID)
  .replaceAll("[{]{2}\\s*STATE\\s*[}]{2}", state)
  .replaceAll("[{]{2}\\s*APPLICATION_NAME\\s*[}]{2}",
              APPLICATION_NAME);

In order to get an OAuth 2.0 access token, you simply need to call:

AccountManager.getAuthToken() 

Which requests a token using an authTokenType of oauth2. Then you can as usual integrate it to your back-end hosted in your server side.