Google Sign-In backend server authentication

Question

I'm writing an Android app for voice chatting and decided to use Google Sign-In for a simple user authentication with my backend server. However, I don't understand how the app should authenticate with my backend. When a user signs-in using his Google account and I receive the ID token, I can send the ID token to the server, then the server verifies it. And what's then? How to authenticate following requests, for example when the user sends/receives a voice message and the app needs to upload/download the message to/from the server? Server needs to know which user is making the request, but the ID token is inappropriate because it expires soon and its integrity verification is a complex and relatively long process.

Answer 1

Google Sign-in API: Following steps are involved:

• User signs in Google using the iOS/Android application.
• Google returns tokenid (and some extra information. See the link for extra information) to the client (iOS/Android App).
• Client sends the tokenid to the backend server.
• server uses Google client API (or call google end point by making GET request but beware it has a network delay associated with it) to verify the integrity of the token. In this step certain criteria should be satisfied. See Here.
• GoogleAPI returns some information to the server. What kind of information? Something like this:

{u'picture': u'https://lh3.googleusercontent.com/-RD4yn7rqIc8/AAAAAAAAAAI/AAAAAAAALQI/9Ab_kR3_CII/s96-c/photo.jpg', u'sub': u'10270538098780639-55', u'family_name': u'Dusad', u'iss': u'https://accounts.google.com', u'email_verified': True, u'name': u'Utsav Dusad', u'at_hash': u'BMjN0mWeOMqVVBhjW_W9A', u'given_name': u'Utsav', u'exp': 1484582338, u'azp': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com', u'iat': 1484578738, u'locale': u'en-GB', u'email': u'[email protected]', u'aud': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com'}

sub: Subject. userID. Don't use email id as primarykey as it may change. use userID.

An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple emails at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.

For detailed information see here:

• Server returns success login to the client.
• client make subsequent (HTTP POST, GET) requests with tokenID.
• Server serves the data by verifying the idtoken and checking 'sub' info (sub is the unique identity of a user).

Answer 2

It looks like the explanation you need is at: https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token

It explains:

After you receive the ID token by HTTPS POST, you must verify the integrity of the token. To verify that the token is valid, ensure that the following criteria are satisfied:

The ID token is a JWT that is properly signed with an appropriate Google public key (available in JWK or PEM format). The value of aud in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server. The value of iss in the ID token is equal to accounts.google.com or https://accounts.google.com. The expiry time (exp) of the ID token has not passed. If your authentication request specified a hosted domain, the ID token has a hd claim that matches your Google Apps hosted domain.

It states:

Rather than writing your own code to perform these verification steps, we strongly recommend using a Google API client library for your platform, or calling our tokeninfo validation endpoint.

It goes on to show you exactly what you need to do.