Google account authorization within an Android app

Question

I'm writing an Android app that talks to a remote server, and I want to allow app users to log into the server by using the google credentials that reside on their phone, i.e. without requiring the user to enter their google password anywhere in my app. For example, if the user's (Android) phone has been configured with "[email protected]", and they then install and run my app, my app will present them with a dialog saying "Do you wish to sign in as [email protected]?", and upon hitting an Ok button they'd have established an id on my server that knows their email address is [email protected], as certified by google itself.

I've found widespread and varied partial recipes on how to go about this, including google's own oauth2 documentation, but have not divined an understanding of how to make it all happen.

I do have Android code which uses the AccountManager to figure out which google accounts are on a given phone. I prompt the user as to which google account they'd like to use to sign on, and I then get an authorization token back.

Past that point, I'm pretty much spinning my wheels. The recipes I've looked at seem to call for my doing an http get of this form:

http://<myWebServer>.com/_ah/login?continue=<someUrlIChoose>&auth=<authToken>

... which (a) is dissatisfying in that it appears to be specific to appengine and I want the freedom to run this on any back end of my choice, and (b) even experimenting with appengine, the appengine instance I've set up doesn't seem to be signaled at all, i.e. the logs show now queries to it (I was hoping the someUrlIChoose url would have been called with something)... hence no opportunities to be informed of the validity of the token.

Specific questions would include:

• What do I do with the auth token... do I send it to my server, and somehow have my server contact google to verify the token's validity for the specified account? Or is there some backchannel communication that's supposed to have already (at this stage of the process) originated from the google servers to inform my server that this token is valid (and if so, how do I set that up)? Or something else?
• Am I right to suppose that this process should be doable in the context of any back end (not just appengine)?
• Is oauth2 what I should be using (as opposed to oauth1, or something else)? Everything I read seems to imply that google's support for oauth2 is "experimental"... but I have not ascertained whether such assertions are current or old; and even if current, google has a history of keeping various products in permanent non-final form (e.g. eternal beta), so I don't know what to conclude about this.
• Anything else that's relevant...

Answer 1

You must import google-play-services_lib after than you can use this code:

import com.google.android.gms.auth.GoogleAuthUtil;
import com.google.android.gms.auth.UserRecoverableAuthException;

private void gmail_login() {

    dialog = ProgressDialog.show(LoginActivity.this, "", getString(R.string.login_loading), true);

    AsyncTask task = new AsyncTask() {
        @Override
        protected Object doInBackground(Object... params) {
              getAndUseAuthTokenBlocking();
            return null;
        }
     };
     task.execute((Void)null);
}


void getAndUseAuthTokenBlocking() {
   try
   {
      String AUTH_TOKEN_TYPE = "oauth2:https://www.googleapis.com/auth/plus.me https://www.googleapis.com/auth/userinfo.email";
      AccountManager accountManager = AccountManager.get(this);
      Account[] accounts = accountManager.getAccountsByType("com.google");

      String token = GoogleAuthUtil.getToken(this, accounts[0].name, AUTH_TOKEN_TYPE);
      //token here
   } 
   catch (UserRecoverableAuthException userAuthEx) {
       startActivityForResult(userAuthEx.getIntent(), MY_ACTIVITYS_AUTH_REQUEST_CODE);
   }catch (Exception e){
       DropErrorMsg.drop(this, handler, R.string.connection_error, R.string.error, dialog, false);
   }
}