current community

your communities

more stack exchange communities

Stack Exchange
tour help
stack overflow careers
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 1 down vote favorite
1

I'm building a backend for my Android app using GAE, and I'd like to authenticate users with their Google accounts, sent from the Android app.

Before OAuth2, you were able to use a Cookie retrieved from the _ah/login endpoint to authenticate users into your web app, but that method is deprecated and I'd like to be able to use the updated OAuth2 method.

In my Android app I've been able to generate a JSON Web Token using the following line:

String jwt =  GoogleAuthUtil.getToken(FamiliarActivity.this, Plus.AccountApi.getAccountName(mGoogleApiClient), "audience:server:client_id:1234567.apps.googleusercontent.com");

or an OAuth token:

String oauth2 =  GoogleAuthUtil.getToken(FamiliarActivity.this, Plus.AccountApi.getAccountName(mGoogleApiClient), "oauth2:server:client_id:1234567.apps.googleusercontent.com:api_scope:https://www.googleapis.com/auth/plus.login");

Either, manually, I can pass to my API and validate against Google. But I haven't been able to figure out a way to use a token like this to trigger authentication in GAE like the Cookie used to. The documentation seems to indicate passing it as a header: Authorization: Bearer <TOKEN> but that doesn't seem to work.

What is the correct way to retrieve and pass a token to my GAE endpoint so that it authenticates the user?

share|improve this question
    
I know answers shouldn't be links, but anyway, here is what I personally looked at to get a better understanding of App engine + Oauth 2.0 youtube.com/watch?v=HoUdWBzUZ-M –  Patrice Aug 29 '14 at 17:46
    
Doesn't GAE have an API that lets your log users in manually (IIRC, it used to)? If so, implement custom authentication using filters, etc. and just call the API after you verify the token. –  Nikolay Elenkov Sep 1 '14 at 5:13
    
Another idea is to compare the bearer tokens sent by browser login with the the tokens you get from GoogleAuthUtil. This is a different method, that should work, but it requires a full account access token. It basically simulates Web login, and then saves all cookies, so you can send them with subsequent requests: github.com/AndlyticsProject/andlytics/blob/dev/src/com/github/… –  Nikolay Elenkov Sep 1 '14 at 5:17

1 Answer 1

up vote 0 down vote

The correct and documented way to accomplish this is to:

1) Create an OAuth protected endpoint with the 

https://www.googleapis.com/auth/plus.login

or 

https://www.googleapis.com/auth/userinfo.email

scope and authorized Client ID for the Android client app.

2) Generate client library and integrate with your app.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.