Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best way to allow users access to your app using their Google credentials

Tags:

android

security

authentication

oauth-2.0

google-oauth

If you have an Android application that requires user registration and you would like to allow your users to login via Google, how would you handle this ?

I would like to keep Google+ sign-in out of the discussion here. We're also not using the user credentials to access Google APIs and I'm not interested in additional access to social features of Google+.

There seems to be a number of options:

Use OAuth2.0 for authentication

Documented in the Google OAUth2 Login page

This doesn't really mention Android but it is (partly) based on OAuth2 access tokens but more importantly on the validation of a JSON Web Token id_token.

This way of authenticating users also involves launching a WebView to allow the users to login to their google account and a rather complex verification of the id_token.

Use OAuth2 / Google Play Services

There's a sample in Google Play Services that focusses more on authorization. It uses GoogleAuthUtil.getToken to retrieve an access_token. A part of it is definitely authentication, as the dialog states "Sign in to ...".

enter image description here

Am I correct to assume that it's a bad practice to use the OAuth2.0 flow with access_token as an authentication mechanism ? (storing the access token as an authentication token).

Supporting Facebook / Twitter logins

The reason I'm asking is because of the way Twitter and Facebook recommend you to implement a "Sign in with ... " authentication process

  • Implementing Sign in with Twitter
  • Facebook Login Flow for Android

This also seems to be based purely on OAuth access tokens.

Any other options I'm not aware about that allows you to authenticate users with their google account ?

like image 362
ddewaele Avatar asked Jul 13 '13 11:07

ddewaele

2 Answers

What you need is this http://android-developers.blogspot.com/2013/01/verifying-back-end-calls-from-android.html

i.e. get an ID Token and use it to sign-in to the backend of your application.

You are right. In general, it is a bad idea to use access token for authentication. We have done multiple presentations to caution developers about it. https://docs.google.com/presentation/d/1klTZheiQIhcty6MKvTYS12cw1Vyn4T1R4d60QCRYM60/edit?usp=drive_web

If there is no other option and one only has an access token, you may be able to do some extra verification to use it to login and mitigate potential security issues. There is a reason ID Token was designed in OpenIDCOnnect and that is to use for authentication.

like image 124
nvnagr Avatar answered Nov 16 '22 15:11

nvnagr

The recommended way is to use the new Google+ Sign-in: https://developers.google.com/+/mobile/android/sign-in

like image 38
MattSkala Avatar answered Nov 16 '22 14:11

MattSkala
Sign in to Comment

Related questions

Is getSimCountryIso returning 3 letters or 2 letters ISO code
Can't draw on a HTML5 Canvas using Phonegap 2.7
Send GCM message to Particular user
Google maps in an actionbarsherlock tab
How to use GLM in Android NDK Application
How to add my app's icon into the status bar when my app is running?
ListView like in universal image loader sample app
Restore WebView position to same content on orientation change (Android)
How to Refresh ListView in Fragment that is filled with BaseAdapter?
Difference between drawing directly to canvas and drawing on bitmap and then canvas in Android onDraw()
How to include Zxing library to android project?
What's the most battery-efficient approach of using LocationClient to periodically get updates?
updating viewpager with fragments in a new order
How set custom downloader in Universal Image Loader?
SIGSEGV in Canvas.clipPath at the second clipPath
Show dialog with touch events over lockscreen in Android 2.3
Handling Push Notification scenarios on iOS and Android
How to change layout (without coding) in Android Studio
time going back on Android
Flag Activity Clear Top destroys target activity and than creating it

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!