Google Sign-In backend server authentication

Salivan picture Salivan · May 24, 2016 · Viewed 8.8k times · Source

I'm writing an Android app for voice chatting and decided to use Google Sign-In for a simple user authentication with my backend server. However, I don't understand how the app should authenticate with my backend. When a user signs-in using his Google account and I receive the ID token, I can send the ID token to the server, then the server verifies it. And what's then? How to authenticate following requests, for example when the user sends/receives a voice message and the app needs to upload/download the message to/from the server? Server needs to know which user is making the request, but the ID token is inappropriate because it expires soon and its integrity verification is a complex and relatively long process.

Answer

Utsav Dusad picture Utsav Dusad · Jan 19, 2017

Google Sign-in API: Following steps are involved:

  • User signs in Google using the iOS/Android application.
  • Google returns tokenid (and some extra information. See the link for extra information) to the client (iOS/Android App).
  • Client sends the tokenid to the backend server.
  • server uses Google client API (or call google end point by making GET request but beware it has a network delay associated with it) to verify the integrity of the token. In this step certain criteria should be satisfied. See Here.
  • GoogleAPI returns some information to the server. What kind of information? Something like this:

{u'picture': u'https://lh3.googleusercontent.com/-RD4yn7rqIc8/AAAAAAAAAAI/AAAAAAAALQI/9Ab_kR3_CII/s96-c/photo.jpg', u'sub': u'10270538098780639-55', u'family_name': u'Dusad', u'iss': u'https://accounts.google.com', u'email_verified': True, u'name': u'Utsav Dusad', u'at_hash': u'BMjN0mWeOMqVVBhjW_W9A', u'given_name': u'Utsav', u'exp': 1484582338, u'azp': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com', u'iat': 1484578738, u'locale': u'en-GB', u'email': u'[email protected]', u'aud': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com'}

sub: Subject. userID. Don't use email id as primarykey as it may change. use userID.

An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple emails at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.

For detailed information see here:

  • Server returns success login to the client.
  • client make subsequent (HTTP POST, GET) requests with tokenID.
  • Server serves the data by verifying the idtoken and checking 'sub' info (sub is the unique identity of a user).