Google Sign-In backend server authentication

android authentication token backend google-signin
Salivan picture Salivan · May 24, 2016 · Viewed 8.8k times · Source

I'm writing an Android app for voice chatting and decided to use Google Sign-In for a simple user authentication with my backend server. However, I don't understand how the app should authenticate with my backend. When a user signs-in using his Google account and I receive the ID token, I can send the ID token to the server, then the server verifies it. And what's then? How to authenticate following requests, for example when the user sends/receives a voice message and the app needs to upload/download the message to/from the server? Server needs to know which user is making the request, but the ID token is inappropriate because it expires soon and its integrity verification is a complex and relatively long process.

Answer

Utsav Dusad picture Utsav Dusad · Jan 19, 2017

Google Sign-in API: Following steps are involved:

  • User signs in Google using the iOS/Android application.
  • Google returns tokenid (and some extra information. See the link for extra information) to the client (iOS/Android App).
  • Client sends the tokenid to the backend server.
  • server uses Google client API (or call google end point by making GET request but beware it has a network delay associated with it) to verify the integrity of the token. In this step certain criteria should be satisfied. See Here.
  • GoogleAPI returns some information to the server. What kind of information? Something like this:

{u'picture': u'https://lh3.googleusercontent.com/-RD4yn7rqIc8/AAAAAAAAAAI/AAAAAAAALQI/9Ab_kR3_CII/s96-c/photo.jpg', u'sub': u'10270538098780639-55', u'family_name': u'Dusad', u'iss': u'https://accounts.google.com', u'email_verified': True, u'name': u'Utsav Dusad', u'at_hash': u'BMjN0mWeOMqVVBhjW_W9A', u'given_name': u'Utsav', u'exp': 1484582338, u'azp': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com', u'iat': 1484578738, u'locale': u'en-GB', u'email': u'[email protected]', u'aud': u'85959433390-npk1ss7juimjqt5hrlhm7v2fj2u7593f.apps.googleusercontent.com'}

sub: Subject. userID. Don't use email id as primarykey as it may change. use userID.

An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple emails at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user.

For detailed information see here:

  • Server returns success login to the client.
  • client make subsequent (HTTP POST, GET) requests with tokenID.
  • Server serves the data by verifying the idtoken and checking 'sub' info (sub is the unique identity of a user).

Related questions

Android: Is it a good idea to store Authentication Token in Shared Preferences?

I have an application that communicates with a server. When the user logins to the application an Authentication Token is crated on the server and stored in the SharedPreferences of the application and whenever the application requests data from a …

Read More
Android: Storing username and password?

If I want to store the username and password to be used inside an Android application, what is the best way to do it? Is it through the preferences screen (but what if the user misses this?), or pop up …

Read More
Using Google account to log in to an Android Application

I’m developing an application on Android and I want to allow users to log in with their Google account. How can I achieve this?

Read More