Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to verify Android id token on App Engine backend

my goal is to build simple app engine back end for my android app. Purpose of this back end is just to verify android clients calls ,and provide password which will be used for further https comunication with my servers. So i started ccording to this http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html article. Client side looks like:

GoogleAuthUtil.getToken(MainActivityy.this, "[email protected]", "audience:server:client_id:my_Client_ID_for_web_applications.apps.googleusercontent.com");

this method returns token which looks like this:

eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMWIyZTllNGU2NGE0MmIzM2U3YjMxMDQwNzUyMzIxYmVlMmJkYmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiZW1haWwiOiJtYXRvLnBldHJ1bGFrQGdtYWlsLmNvbSIsInZlcmlmaWVkX2VtYWlsIjoidHJ1ZSIsImVtYWlsX3ZlcmlmaWVkIjoidHJ1ZSIsImNpZCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF6cCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjU0ODk4MTY3NzkzMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImlkIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwic3ViIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwiaWF0IjoxMzY4NzExODk0LCJleHAiOjEzNjg3MTU3OTR9.oN5ncz6MEAZBW8NXDhc4O-Y82C2mma675lbw9ZZA-1bs8zM9FKQG1K97PfNfxJFImiPMY8UYIjhqDIkHpErjaV0KDJpLv8NkmsdADOFjt5eQkFGWf92fufL7QEIkWqLL1fKxG7f8-OR59O5AOAVchdgtqDt4DhEH7oHfAZqf3wU  

and now i want to authentificate this token on backend. So i created new Web Application Project using Google plugin for eclpise. It generates some sample project. To this project i add Checker class from article which i mentioned above. looks like this:

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Logger;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;

public class Checker {

private final List mClientIDs;
private final String mAudience;
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";

private  Logger log ;

public Checker(String[] clientIDs, String audience) {
    mClientIDs = Arrays.asList(clientIDs);
    mAudience = audience;
    NetHttpTransport transport = new NetHttpTransport();
    mJFactory = new GsonFactory();
    mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
   log = Logger.getLogger(Checker.class.getName()); 
   log.severe("CHECKER CRETAED");
}

public GoogleIdToken.Payload check(String tokenString) {
    GoogleIdToken.Payload payload = null;
    log.severe("CHECK START");
    try {
        log.severe("CHECK 1");
        GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
        log.severe("CHECK 2");
        if (mVerifier.verify(token)) {
            log.severe("CHECK 3");
            GoogleIdToken.Payload tempPayload = token.getPayload();
            log.severe("CHECK4");
            if (!tempPayload.getAudience().equals(mAudience)){
                mProblem = "Audience mismatch";
                log.severe("Audience mismatch");
            }
            else if (!mClientIDs.contains(tempPayload.getIssuee())){
                mProblem = "Client ID mismatch";
                log.severe("Client ID mismatch");
            }
            else{
                payload = tempPayload;
                log.severe(payload.getEmail().toString());
                log.severe("CHECK 5");
            }
        }
    } catch (GeneralSecurityException e) {
        log.severe("Security issue: " + e.getLocalizedMessage());
        mProblem = "Security issue: " + e.getLocalizedMessage();
    } catch (IOException e) {
        log.severe("Network problem: " + e.getLocalizedMessage());
        mProblem = "Network problem: " + e.getLocalizedMessage();
    }
    log.severe("CHECK END");
    return payload;
}

public String problem() {
    return mProblem;
}

}

and now i do something like this to authentify token provided by android client.

String [] clinetidS  = new String [] {"xxxxxxxxxxxxx-plqjav9ih8e80btegic84bg2r9q7c02.apps.googleusercontent.com"};  //Client ID for installed applications
Checker checker = new Checker(clinetidS, "my_project_at_appspot.appspot.com");  
   checker.check("eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMWIyZTllNGU2NGE0MmIzM2U3YjMxMDQwNzUyMzIxYmVlMmJkYmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiZW1haWwiOiJtYXRvLnBldHJ1bGFrQGdtYWlsLmNvbSIsInZlcmlmaWVkX2VtYWlsIjoidHJ1ZSIsImVtYWlsX3ZlcmlmaWVkIjoidHJ1ZSIsImNpZCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF6cCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjU0ODk4MTY3NzkzMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImlkIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwic3ViIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwiaWF0IjoxMzY4NzExODk0LCJleHAiOjEzNjg3MTU3OTR9.oN5ncz6MEAZBW8NXDhc4O-Y82C2mma675lbw9ZZA-1bs8zM9FKQG1K97PfNfxJFImiPMY8UYIjhqDIkHpErjaV0KDJpLv8NkmsdADOFjt5eQkFGWf92fufL7QEIkWqLL1fKxG7f8-OR59O5AOAVchdgtqDt4DhEH7oHfAZqf3wU");

and now problem is that Checker class never pass this check:

if (mVerifier.verify(token)) 

is there some way how to check android token online?? any ideas?? or where can be problem??

like image 647
Matin Petrulak Avatar asked May 16 '13 14:05

Matin Petrulak


2 Answers

You can always check the token interactively by using curl to look at

curl https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=<your-id-token-here>

What's the exception/problem from mVerifier.verify?

like image 180
Tim Bray Avatar answered Sep 21 '22 10:09

Tim Bray


It's an older question, and I guess you already found an answer. But just in case: Click this link and scroll down. Basically it tells you to download and include this library and write this piece of code:

import java.io.IOException;
import java.security.GeneralSecurityException;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;

public class Checker {

private final List mClientIDs;
private final String mAudience;
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";

public Checker(String[] clientIDs, String audience) {
    mClientIDs = Arrays.asList(clientIDs);
    mAudience = audience;
    NetHttpTransport transport = new NetHttpTransport();
    mJFactory = new GsonFactory();
    mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
}

public GoogleIdToken.Payload check(String tokenString) {
    GoogleIdToken.Payload payload = null;
    try {
        GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
        if (mVerifier.verify(token)) {
            GoogleIdToken.Payload tempPayload = token.getPayload();
            if (!tempPayload.getAudience().equals(mAudience))
                mProblem = "Audience mismatch";
            else if (!mClientIDs.contains(tempPayload.getIssuee()))
                mProblem = "Client ID mismatch";
            else
                payload = tempPayload;
        }
    } catch (GeneralSecurityException e) {
        mProblem = "Security issue: " + e.getLocalizedMessage();
    } catch (IOException e) {
        mProblem = "Network problem: " + e.getLocalizedMessage();
    }
    return payload;
}

public String problem() {
    return mProblem;
}
}
like image 39
Kuno Avatar answered Sep 23 '22 10:09

Kuno