Menu
I'm developing an android app which uses google account available on device to authenticate user to server-side component.
I send google account name (gmail address) to server but to be able to verify it with google on server, I request an oauth token on android device and send it to server as well.
The problem is that although I don't need access to additional user info, I have to use oauth email scope which opens a confirmation dialog. I don't like this dialog because I'm going to verify account name not accessing user info.
There is also AccountManager.getPassword(account) but I don't like to communicate or use user password.
It is also possible to use WebView and authenticating user like a web app (using OpenId for example) but it doesn't seems an optimal solution on a device.
Is there any other/better way to verify device account name on server?
386
Click on your profile photo in the upper-right side of your Gmail page, click the “My Account” button and then click “Signing into Google.” Enter your account password if asked, and click “2-Step Verification” on the next screen. On the 2-Step Verification page, you can create and print a set of backup codes.
Sign in to your email to verify your account While you're creating your account, you'll get an email from Google. Open the email and find the verification code. To finish creating your account, enter the verification code when prompted.
Use AccountManager or Google Play Services to get an OAuth2 token for the user profile (scope: https://www.googleapis.com/auth/userinfo.profile). Then verify it using the Google endpoint (https://accounts.google.com/o/oauth2/tokeninfo) and optionally get user info. A sample app is provided here: http://oauthssodemo.appspot.com. You seem to be doing something similar, and if so this is the right (or at least recommended) way to do it. BTW, you cannot get the user password, because you are not signed with the same certificate as the account provider.
The only other (reliable) way to do this is to send the user an email to their GMail address with a random token and have them enter it in the app. This lets you verify that they have access to the email, so it must be theirs (unless of course they stole someone else's device).
Or you can simply trust that if the user has the account registered on their device, it it indeed their account, because they authenticated at least once when activating the device. Then you just use the Gmail address as is, which may or may not be sufficient for your app.
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
