Can I use Android's AccountManager for getting OAuth access token for AppEngine?

Question

I have Android client to my AppEngine server, both using Google Accounts. I would like to use AccountManager for getting accessToken for OAuth. So far I'm using ClientLogin, but I would like to switch to OAuth.

Setting up OAuth on AppEngine is easy - I followed this article. But the client side is a mystery, in particular I don't know what to use for scope, in AccountManager terms authTokenType. For ClientLogin, I'm using "ah" for authTokenType. But what about OAuth?

Answer 1

As of today you can use Google Play Services API on android to do Oauth 2.0 authentication on android. You could then use the method described by @nivco to get the userinfo on appengine. I have not done this yet, but I plan tp do exactly what your talking about.

https://developers.google.com/android/google-play-services/authentication

Answer 2

I'm not sure what you are trying to do is possible through the App Engine OAuthService used in the article you are referring to. Also it is stated that AppEngine OAuthService only supports OAuth 1 but Android only supports OAuth 2 :) so you are screwed.

If you want to do cross Android - App Engine authentication, what I would do is:

1. In Android: get an access token for the UserInfo API (scope = https://www.googleapis.com/auth/userinfo.email and https://www.googleapis.com/auth/userinfo.profile) from the AccountManager.
2. Pass the access token to App Engine in a URL param of the request you are making from Android to AppEngine (make sure you use HTTPS to avoid interception!).
3. On the App Engine side: use the access token to read the user's identity using the UserInfo API. This is basically using OpenID Connect!
4. Then you can use the information you got from the UserInfo API to authenticate the user. The email and the user ID you'll get from the UserInfo API is equivalent to the email and user ID you would get from the AppEngine's UserService => you can trust it!

---

PS: I described getting OAuth 2 tokens using the Android AccountManager in this article. It was written pre-Ice Cream Sandwich but I'm hopping it is still valid. Basically the authTokenType needs to be oauth2:{scopes}, so for instance oauth2:https://www.googleapis.com/auth/tasks for the Tasks API. There might be some better ways to do this now.