I'm writing an Android app for voice chatting and decided to use Google Sign-In for a simple user authentication with my backend server. However, I don't understand how the app should authenticate with my backend. When a user signs-in using his Google account and I receive the ID token, I can send the ID token to the server, then the server verifies it. And what's then? How to authenticate following requests, for example when the user sends/receives a voice message and the app needs to upload/download the message to/from the server? Server needs to know which user is making the request, but the ID token is inappropriate because it expires soon and its integrity verification is a complex and relatively long process.
Google Sign-In manages the OAuth 2.0 flow and token lifecycle, simplifying your integration with Google APIs. A user always has the option to revoke access to an application at any time.
Overview. Authentication in Review Board is handled by classes called Authentication Backends. They perform the tasks of looking up users from some database or server, authenticating against it given user credentials, and creating local representations of the users in Review Board's database.
The id_token is used in OpenID Connect protocol, where the user is authenticated as well as authorized. (There's an important distinction between authentication and authorization.) You will get id_token and access_token. The id_token value contains the information about the user's authentication.
Google Sign-in API: Following steps are involved:
{u'picture': u'https://lh3.googleusercontent.com/-RD4yn7rqIc8/AAAAAAAAAAI/AAAAAAAALQI/9Ab_kR3_CII/s96-c/photo.jpg', u'sub': u'10270538098780639-55', u'family_name': u'Dusad', u'iss': u'https://accounts.google.com', u'email_verified': True, u'name': u'Utsav Dusad', u'at_hash': u'BMjN0mWeOMqVVBhjW_W9A', u'given_name': u'Utsav', u'exp': 1484582338, u'azp': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com', u'iat': 1484578738, u'locale': u'en-GB', u'email': u'[email protected]', u'aud': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com'}
sub: Subject. userID. Don't use email id as primarykey as it may change. use userID.
An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple emails at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.
For detailed information see here:
It looks like the explanation you need is at: https://developers.google.com/identity/sign-in/web/backend-auth#verify-the-integrity-of-the-id-token
It explains:
After you receive the ID token by HTTPS POST, you must verify the integrity of the token. To verify that the token is valid, ensure that the following criteria are satisfied:
The ID token is a JWT that is properly signed with an appropriate Google public key (available in JWK or PEM format). The value of aud in the ID token is equal to one of your app's client IDs. This check is necessary to prevent ID tokens issued to a malicious app being used to access data about the same user on your app's backend server. The value of iss in the ID token is equal to accounts.google.com or https://accounts.google.com. The expiry time (exp) of the ID token has not passed. If your authentication request specified a hosted domain, the ID token has a hd claim that matches your Google Apps hosted domain.
It states:
Rather than writing your own code to perform these verification steps, we strongly recommend using a Google API client library for your platform, or calling our tokeninfo validation endpoint.
It goes on to show you exactly what you need to do.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With