Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to verify Android id token on App Engine backend

Tags:

android

authentication

google-app-engine

google-oauth

my goal is to build simple app engine back end for my android app. Purpose of this back end is just to verify android clients calls ,and provide password which will be used for further https comunication with my servers. So i started ccording to this http://android-developers.blogspot.in/2013/01/verifying-back-end-calls-from-android.html article. Client side looks like:

GoogleAuthUtil.getToken(MainActivityy.this, "[email protected]", "audience:server:client_id:my_Client_ID_for_web_applications.apps.googleusercontent.com");

this method returns token which looks like this:

eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMWIyZTllNGU2NGE0MmIzM2U3YjMxMDQwNzUyMzIxYmVlMmJkYmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiZW1haWwiOiJtYXRvLnBldHJ1bGFrQGdtYWlsLmNvbSIsInZlcmlmaWVkX2VtYWlsIjoidHJ1ZSIsImVtYWlsX3ZlcmlmaWVkIjoidHJ1ZSIsImNpZCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF6cCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjU0ODk4MTY3NzkzMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImlkIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwic3ViIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwiaWF0IjoxMzY4NzExODk0LCJleHAiOjEzNjg3MTU3OTR9.oN5ncz6MEAZBW8NXDhc4O-Y82C2mma675lbw9ZZA-1bs8zM9FKQG1K97PfNfxJFImiPMY8UYIjhqDIkHpErjaV0KDJpLv8NkmsdADOFjt5eQkFGWf92fufL7QEIkWqLL1fKxG7f8-OR59O5AOAVchdgtqDt4DhEH7oHfAZqf3wU

and now i want to authentificate this token on backend. So i created new Web Application Project using Google plugin for eclpise. It generates some sample project. To this project i add Checker class from article which i mentioned above. looks like this:

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Arrays;
import java.util.List;
import java.util.logging.Logger;

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;

public class Checker {

private final List mClientIDs;
private final String mAudience;
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";

private  Logger log ;

public Checker(String[] clientIDs, String audience) {
    mClientIDs = Arrays.asList(clientIDs);
    mAudience = audience;
    NetHttpTransport transport = new NetHttpTransport();
    mJFactory = new GsonFactory();
    mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
   log = Logger.getLogger(Checker.class.getName()); 
   log.severe("CHECKER CRETAED");
}

public GoogleIdToken.Payload check(String tokenString) {
    GoogleIdToken.Payload payload = null;
    log.severe("CHECK START");
    try {
        log.severe("CHECK 1");
        GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
        log.severe("CHECK 2");
        if (mVerifier.verify(token)) {
            log.severe("CHECK 3");
            GoogleIdToken.Payload tempPayload = token.getPayload();
            log.severe("CHECK4");
            if (!tempPayload.getAudience().equals(mAudience)){
                mProblem = "Audience mismatch";
                log.severe("Audience mismatch");
            }
            else if (!mClientIDs.contains(tempPayload.getIssuee())){
                mProblem = "Client ID mismatch";
                log.severe("Client ID mismatch");
            }
            else{
                payload = tempPayload;
                log.severe(payload.getEmail().toString());
                log.severe("CHECK 5");
            }
        }
    } catch (GeneralSecurityException e) {
        log.severe("Security issue: " + e.getLocalizedMessage());
        mProblem = "Security issue: " + e.getLocalizedMessage();
    } catch (IOException e) {
        log.severe("Network problem: " + e.getLocalizedMessage());
        mProblem = "Network problem: " + e.getLocalizedMessage();
    }
    log.severe("CHECK END");
    return payload;
}

public String problem() {
    return mProblem;
}

}

and now i do something like this to authentify token provided by android client.

String [] clinetidS  = new String [] {"xxxxxxxxxxxxx-plqjav9ih8e80btegic84bg2r9q7c02.apps.googleusercontent.com"};  //Client ID for installed applications
Checker checker = new Checker(clinetidS, "my_project_at_appspot.appspot.com");  
   checker.check("eyJhbGciOiJSUzI1NiIsImtpZCI6ImFiMWIyZTllNGU2NGE0MmIzM2U3YjMxMDQwNzUyMzIxYmVlMmJkYmEifQ.eyJpc3MiOiJhY2NvdW50cy5nb29nbGUuY29tIiwiZW1haWwiOiJtYXRvLnBldHJ1bGFrQGdtYWlsLmNvbSIsInZlcmlmaWVkX2VtYWlsIjoidHJ1ZSIsImVtYWlsX3ZlcmlmaWVkIjoidHJ1ZSIsImNpZCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF6cCI6IjU0ODk4MTY3NzkzMC0xcGxxamF2OWloOGU4MGJ0ZWdpYzg0YmcycjlxN2MwMi5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImF1ZCI6IjU0ODk4MTY3NzkzMC5hcHBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsImlkIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwic3ViIjoiMTE4MTQ0NjEyNDkzMTM1NzYxOTUwIiwiaWF0IjoxMzY4NzExODk0LCJleHAiOjEzNjg3MTU3OTR9.oN5ncz6MEAZBW8NXDhc4O-Y82C2mma675lbw9ZZA-1bs8zM9FKQG1K97PfNfxJFImiPMY8UYIjhqDIkHpErjaV0KDJpLv8NkmsdADOFjt5eQkFGWf92fufL7QEIkWqLL1fKxG7f8-OR59O5AOAVchdgtqDt4DhEH7oHfAZqf3wU");

and now problem is that Checker class never pass this check:

if (mVerifier.verify(token))

is there some way how to check android token online?? any ideas?? or where can be problem??

like image 647
Matin Petrulak Avatar asked May 16 '13 14:05

Matin Petrulak

2 Answers

You can always check the token interactively by using curl to look at

curl https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=<your-id-token-here>

What's the exception/problem from mVerifier.verify?

like image 180
Tim Bray Avatar answered Sep 21 '22 10:09

Tim Bray

It's an older question, and I guess you already found an answer. But just in case: Click this link and scroll down. Basically it tells you to download and include this library and write this piece of code:

import java.io.IOException;
import java.security.GeneralSecurityException;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import com.google.api.client.http.javanet.NetHttpTransport;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;

public class Checker {

private final List mClientIDs;
private final String mAudience;
private final GoogleIdTokenVerifier mVerifier;
private final JsonFactory mJFactory;
private String mProblem = "Verification failed. (Time-out?)";

public Checker(String[] clientIDs, String audience) {
    mClientIDs = Arrays.asList(clientIDs);
    mAudience = audience;
    NetHttpTransport transport = new NetHttpTransport();
    mJFactory = new GsonFactory();
    mVerifier = new GoogleIdTokenVerifier(transport, mJFactory);
}

public GoogleIdToken.Payload check(String tokenString) {
    GoogleIdToken.Payload payload = null;
    try {
        GoogleIdToken token = GoogleIdToken.parse(mJFactory, tokenString);
        if (mVerifier.verify(token)) {
            GoogleIdToken.Payload tempPayload = token.getPayload();
            if (!tempPayload.getAudience().equals(mAudience))
                mProblem = "Audience mismatch";
            else if (!mClientIDs.contains(tempPayload.getIssuee()))
                mProblem = "Client ID mismatch";
            else
                payload = tempPayload;
        }
    } catch (GeneralSecurityException e) {
        mProblem = "Security issue: " + e.getLocalizedMessage();
    } catch (IOException e) {
        mProblem = "Network problem: " + e.getLocalizedMessage();
    }
    return payload;
}

public String problem() {
    return mProblem;
}
}
like image 39
Kuno Avatar answered Sep 23 '22 10:09

Kuno
Sign in to Comment

Related questions

Get the index of an array item based on the value
Recycle Android Maps V2 SupportMapFragment when rotating
GestureDetector in libgdx
windowBackground does not change with theme
Phonegap 2.4 Android Proguard config
Does WebView saveState() preserve Javascript variables/environment?
How to get the size of bitmap after displaying it in ImageView
Benefits of GSON over normal JSON parse
Comparing two LatLng objects in google map v2 android
How to quickly get width and height of TextView using Paint.getTextBounds()?
Android Create Custom Exif attributes for an image file
Keyboard opens as full screen in landscape mode [duplicate]
How to add a Header and Preference Object to PreferenceActivity not using an XML file but Java?
Android; fragments overlap when switching tabs
How to get a list of my app's tasks and the stack of their Activities?
How to get list of all BroadcastReceiver(s) registered for a specific intent?
Android: Resizing Bitmaps without losing quality
Send MMS programmatically
(android) decimalformat, uses comma in place of fullstop while formatting with "#.##"
How to create nanohttpd server in android?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!