Best way to use Google APIs using OAuth 2.0 on Android

Question

I'm trying to migrate an Android application using OAuth 1.0a to OAuth 2.0. (using the Google API Client Library for Java/Android for my OAuth 2.0 needs).

What is the best/preferred solution for accessing Google APIs using OAuth 2.0 on an Android platform that takes into account the usability aspect as well. The user should be able to autorize access in an easy way, seamlessly integrating with my Android app.

The application is currently using the OAuth 1.0 web based flow, where my application pops a browser to let the user authorize access, and using a custom redirect URI, my application is capable of retrieving an access token. It works pretty well, but I didn't like the fact that I need to leave my app in order to pop a brower to display a webpage. I was thinking that OAuth 2.0 might work around this, and allow for a better user experience.

I started looking at the Adroid AccountManager-OAuth2 integration as outlined at Google IO, as it doesn't involve a webbrowser, and is more tightly coupled with Android, but it is simply not working the way it should. It's not documented, and unclear if it will remain a viable option for the future.

I've now started investigating the standard OAuth 2.0 web flow.

Here I seem to be having 2 options :

Configure the OAuth 2.0 client as an installed app, and use the urn:ietf:wg:oauth:2.0:oob redirect URI.

Not very clean solution, as I'm not going to have my users copy-paste some code into my app. This is not user-friendly at all.

The Using OAuth 2.0 to Access Google APIs docs mention that there is some way of polling the title of the page to parse out the URL, but I also see a lot of usability issues with that, and don't really feel like writing this kind of plumbing code. If a client library exists that would do that for me, I'd be happy to investigate this further, but for now, I've dropped this option.

Configure the OAuth 2.0 client as a webapp, and use a redirect URI.

Here I noticed non-standard schemes are prohibited in OAuth 2.0. Before, it was possible to use something like xoauth://callback, but that's not allowed anymore. When configuring a redirect URI like http://mysite.com/oauth2/callback, I'm unable to have Android open up my activity when the Google OAuth 2.0 page redirects, despite having setup a proper intent filter for it. The http://mysite.com/oauth2/callback is simply displayed in my browser.

The following does work

Intent i = new Intent(Intent.ACTION_VIEW,Uri.parse("http://mysite.com/oauth2/callback"));
startActivity(i);

But when the Google OAuth 2 page redirects to that same URL, it is simply displayed in the browser.

Even if this would work, the user would still be presented with a chooser popup (open in browser or open using my Android Activity). From a usability perspective, this is also not acceptable.

I'm looking for a better solution than the ones outlined here.

Regards, Davy

Answer 1

I ended up using a WebView component to load up the Google Authorization URL. Using a WebviewClient, I was able to intercept the pages being loaded into the Webview, and as such, when the user accepts or denies the authorization request, I was able to continue the flow.

If the user accepts, the URL that Google redirects to contains a "code" request param, and the application is able to exchange it for an OAuth 2.0 token. If the user does not accept, the URL that Google redirects to contains a "error" request param, and the application can handle the non-happy scenario.

I've written down everything in a blog post : Oauth 2.0 flow in Android

The post also contains a sample Android app using the OAuth 2.0 flow with the Latitude API. Sample code is available in GitGub.

Answer 2

Play Services were introduced at Google I/O 2013 and are now the official way to use OAuth2 in Android. They do not require a WebView.