Oauth2 flow without redirect_uri

Nepoxx picture Nepoxx · Dec 17, 2014 · Viewed 16k times · Source

I am creating an Android/iOS app which communicates with a Node.js server and would like to identify them securely on my server using Google (and/or Facebook) and OAuth2. I've looked at the following documentation: https://developers.google.com/+/web/signin/server-side-flow

I do not need authorization, I only need authentication (I only want to make sure that the person calling my Node.js service is the person they say they are). To achieve this, if I understand properly, I have to let the user log in using Google on the client side, this will give them an authorization_code which they can then give to my server. My server can then exchange that code for an access_token, and therefore retrieve information about the user. I am then guaranteed that the user is the person they say they are.

The Google documentations (link above) says: "In the Authorized redirect URI field, delete the default value. It is not used for this case.", however, for my server to exchange the authorization_code for an access_token, it needs to provide a redirect_uri, am I missing something?

The redirect_uri is useless for Unity games, for instance (since logging in with Google simply opens a new "window", which is closed when logged in, no redirection involved).

TL;DR How do you use OAuth2 to authenticate users between my client and my server without redirection?

Answer

pinoyyid picture pinoyyid · Dec 18, 2014

TL;DR How do you use OAuth2 to authenticate users between my client and my server without redirection?

You can't. OAuth requires that the user is directed to an authorization (and possibly login) screen, and then redirected back to your app.