Google.Apis sharing access and refresh tokens

Question

Until now I had one client (web application) that was doing the OAUTH2 authorization flow, and then would send to the server (ASP.NET Web API) both the Access Token and the Refresh Token.

Then on the server, those tokens would be used to do several operations against the Google API.

Everything perfect until now we had the need of adding mobile clients doing the same OAUTH2 authorization flow.

That required me to add those Android and iOS applications under the Googles Console. All 3 (Web, Android, and iOS) belong to the same project.

The problem comes now, since on the server I have to use the json file (with clientId and secret) that is given to me by google, which until now was the same that the webapp was using. But now since we have two new clients inside the same project, I assumed I would be able to access the Google Api using those same tokens I used before, which are now sent also by Android and iOS.

But that doesn't seem to work, I get :

Google.Apis.Auth.OAuth2.Responses.TokenResponseException: Error:"unauthorized_client", Description:"Unauthorized", Uri:""

Is there anyway to make it possible? I also thought about providing the json secrets file depending on what client sent me the tokens, but looking at the file structure, those are different, and iOS doesn't even have a json file, but a plist.

Any help would be greatly appreciated.

Answer 1

Access and refresh tokens received on an Android or iOS device can be used only on this device. For example, Android OAuth client is registered in Google with its package name and signing-certificate fingerprint to restrict usage to your Android app.

Access and refresh tokens received in your Web Application can be passed to your backend server.

If you want your backend server to be able to make Google API calls on behalf of users while they are offline your server requires its own access token:

• Authenticate the user in your Android and iOS application using Google Sign-In for Android or Google Sign-In for iOS;
• request an additional access code after user authentication;
• pass it to your backend server;
• exchange this access code on the server to get its own access and refresh tokens using your backend server client ID and client secret.

Your backend server OAuth Client should have Web application type (you can share a OAuth client with your Web Application).

Detailed instructions can be found here:

• Android - Enabling Server-Side Access;
• iOS - Enabling Server-Side Access.