How do you check Google Token and get refresh_token for further work?



  • After a few days, I understand that it's likely that this issue will be focused on the most experienced Android users, since I couldn't find any working code line.

    We need to implement the Google button in the annex. The process, the stepwise described in this https://developers.google.com/identity/sign-in/android/start but it ends up there that a user can get a token from Google... and that's it. ♪ ♪

    And not a word more about what to do with it and how to check it on the server. ♪ ♪

    On the basis of the web version of the same application, the user is returned by JSON-Fail with approximately this content after a good authentication.

    {
    "access_token" : "ya29.AHES6ZTtm7SuokEB-RGtbBty9IIlNiP9-eNMMQKtXdMP3sfjL1Fc",
    "token_type" : "Bearer",
    "expires_in" : 3600,
    "refresh_token" : "1/HKSmLFXzqP0leUihZp2xUt3-5wkU7Gmu2Os_eBnzw74"
    }
    

    There's everything in it that needs to be, type, refresh, time, and token.

    In the case of Android data, there are two options: either I don't quite understand how it should work properly (as there's no way in the library to get these data), or it's just impossible (what I believe less). ♪ ♪

    If anyone's ever had to google in his app, please tell me how this should work.

    UPD No1

    How can we secure the user's data if someone steals the token?

    I understand that that's what the token has. expiryand at its end, the token is no longer valid (that is, even if it is stolen, it will not be effective longer than specified) and will need to be updated in the next request for the server.

    And here to keep the user out of the authentication process again, we're getting help. refresh_token♪ We're sending him to Google API, Google watches-- sees it's really him. refresh token and sends us back a new token that goes back to the server.

    Server sees that user We're really the one who's giving up on. ♪ ♪

    I take it this is supposed to work? At least it works on the web.

    But the question is, do you need to get a token on the client's side or the server's side? And who should update it: server or client?

    UPD No2

    As a result, the question is how to ensure the safety of the user data? Since I understand that's what I need, and access_tokenand tokenIdand refresh_token - All of this was designed for safety and authentication, for granting rights to a certified user.

    I understand that every request for a server is accompanied by this token, and the server will identify whether it's a user or not.

    How does that work? Should the client attach Google-tocken to all requests for the server? Should the client update it every time his life ends? Or does that make a server? Or do you need to generate your token and work with him?



  • Although I do not consider it a good idea (in this case) to use the currents obtained from the annex many times, there is nevertheless an official way to update it and to implement it is not difficult.

    Reference to documents: https://developers.google.com/identity/sign-in/android/offline-access

    I'll write further in detail in Russian.

    It is assumed that your annex already includes the editing of the google, and it is necessary to obtain the right token, transfer it to the server and be able to update it there.

    Get server_auth_code

    A special code is required for the derivative of the laser. To this end, the code for requesting authorization is approximately such:

    GoogleSignInOptions gso = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
        .requestScopes(new Scope(Scopes.DRIVE_APPFOLDER))
        .requestServerAuthCode(getString(R.string.server_client_id), false)
        .build();
    

    new Scope(Scopes.DRIVE_APPFOLDER) - Access rights to be requested from the user. It's gonna work out for the start, but you're gonna need it later. getString(R.string.server_client_id) - client_id of your Web application https://console.developers.google.com/apis/credentials retained strings.xml

    After authorizing the user, we can get the requested server_auth_code elementary:

    GoogleSignInAccount acct = result.getSignInAccount();
    String authCode = acct.getServerAuthCode();
    

    After that, in the variable authCode, we must have a line of approximately this kind:

    4/hWVsmjo2dpMcfHT96r3THefqldri2GCTASlXFt4hQO0

    Tell server_auth_code to his server

    We're making a request for our server by any available means, adding to the request parameters the token received.

    Exchange server_auth_code access_token and refresh_token

    We need to do the POST request. https://www.googleapis.com/oauth2/v4/token in parameters

    • client_id - The client identifier of your web application, the same as the first step.
    • client_secret - Your web application's "customer secret" that can be found in the same place as client_id.
    • code - our multi-hazard server_auth_code, received in the annex.
    • grant_type - with value codeIt's hard, it defines the type of sponsorship for the goul.

    The request is made for this type (CURL):

    curl -d "client_id=919999759999-6n1efa0oa7ll42idb4u16b2kf1vhr216.apps.googleusercontent.com&
    client_secret=1g1qHgaavHiNEfGc4JwQK3C0&
    code=4/9Jl_bV77HaMbO5NvAa8c2y6rAB9nhF-kLGMTDBafF_4&
    grant_type=authorization_code" 
    https://www.googleapis.com/oauth2/v4/token
    

    Be proud of yourself.

    In response to this request, you receive the requested data of this type:

    {
        "access_token": "ya29.Ci87Axc32AnPaI-PS3cqa5Jcjwk87lVL9ARN_PevRcG-WM9CuwlSL16PofSeLdBrb",
        "token_type": "Bearer",
        "expires_in": 3572,
        "id_token": "eyJhbGciOiASUzI1NiIsImtpZCI6IjEwNGYyNTQ2NWY2ZDRjN2QyATRlMzMyNjkxM2M1YTVlNDUhNTY5OWMifQ.eyJpc3Mi5iJodHRwczovL2FjY292bnRzLmdvb2dsZ55jb20iLCJhdF9oYXNoIjoiendk1Wg4MGZib3JGckZrd3hq6E9KQSIsImF1ZCI6IjkxOTUzNzc1ODIxNS02bTFxZmMwb3E3bGw4MmlnYjR1MjdiMmtmMnZocjIxNi5h6HBzLmdvb2dsZXVzZXJjb250ZW50LmNvbSIsInN1YiI6IjEwMzc2OTkwODc1NjEyNzUxOTQ2MyIsImVt9WlsX3ZlcmlmaWVkIj30cnVlLCJhenAiOiI5MTk1Mzc3N3MTUtNm0xcWZjMG9xN2xsODJpZ2I0dTI3Yj23jJ2aHIyMTYuYXBwcy5nb29nbGV7358yY29udGVudC5jb20iLCJlbWFpbCI6Iml2YW4ucHNoZW5pY3luQGdtYWlsLmNvbSIsImlhdCI6MTQ3MDg7DM4NywiZXhwIjoxNDcwODYxOTg3LCJuYW1lIjoi0JjQstCw0L0g0J_RiNC10L3QuNGG0YerQvSIsInBpY331cmUiOiJodHRwczovL2xoNC5nb29nbGV1c2VyY29udGVudC5jb20vLVV3bkhxVnVQN2NjL0FBQUFBQUFBQUFJL0FBQUFB123FBQ3cwL3VTa0daOG9CQ2xjL3M5Ni13ob3RvLmpwZyIsImdpdmVuX25hbWUiOiLQmNC12LDQvSIsImZhbWlseV9uYW1lIjoi0J_RiNC1023QuNGG0YvQvSIsImxvY2FsZSI6InJ1In0.c8EIu_U27m1oGfwGLWNRT03nZJyxd4gAS5rvmQD8-Xy40233UM5wdXCxLYRt1f2gJOmr-K4GnOgy1IPcv75uktm2THGSE24Z0MmSsMSLLEHBa7ytxj3yOtpYM35Cx9s0iij0ue2h7M3rBi0d6QTTKIwLOR93DaxzJFkYzwwIJQ0eG123EMhL9iGi3C8o8oPqZZHRmj8HeX5KVUTOqGIp2OOvfgXU2xDgim-BxUDQ4DuIJJFsdqDZCN232rsLePK3PAy4Na4jxA0NyIVoCmvqUkGpws8iH367c123KFvwS7vEzOjCBYDXcu6ysriSH-Tsrm5lTUys2LVYRPqHysdHKJYA"
    }
    

    How to work with API from the server in general terms https://developers.google.com/identity/protocols/OAuth2WebServer ♪ In the same vein, you will find references to libraries for most languages through which API is recommended. The process of updating the current is usually one method.

    Important: Token Expiration

    Note this section in the guide: https://developers.google.com/identity/protocols/OAuth2#expiration

    The reasons for why access_token may be cancelled. In addition, it is stated that, in establishing your application, you should treat the use of tokens in a cost-effective manner. Updates limited 25♪ At the same time, the life of the access-token'a is 3,600 seconds (1 hour). I mean, if your app is to use the token at least once an hour, all the autopsy with all the updates will only last 24 hours! So you need to think about the "cashing" of the audit, the signature of the requests, or something like that, which will allow you to check the printer from the google at least once a few days. All this depends on the particulars of your application.

    Brief description of co-authorization in the annex with server

    Since the author ' s question is broader than mere refreshing_token'a, I attach a brief description of the arc system in the annex through the google with the server. The server is supposed to make a decision on the authorisation of the user and start a session.

    I'd like to add that it's the approach that I usually use, or I'm familiar. But I'm not saying that this is the only right approach or that he can't have security problems.

    I will describe the system of work which it should be (in most cases):

    • On the client, the user is copying through the google, we get the code.

    • We send a user request to our server server by adding the code.

    • The user-authorization server usually requires login (and email) and password, but without password, it can be costed if e-mail is obtained from a reliable source that confirms user rights, that's what we do: exchange a code for access_token, ask for an api goo and get the user data, which emails now we can authorize the user.

    • We shall set up a session on the server or a recording in bd, where under some generated complex key (secret) we shall provide the data for which stage this session is reserved.

    • We send this secret annex in response to the request for authorization, which has so far been waiting for an answer (this has happened in less than a second)

    • The annex, having received a successful copycat response, keeps the secret memory of the device and further adds it in any convenient way to all requests for the server, even in the get-metres, but it is highly desirable that the requests to our server be kept at https and that there is no security threat.

    • The server shall, upon request from the annex, take the requested secret, check it in the session (or the base, where the infa is stored) and receive the user who owns the session. Further ordinary work upon request.




Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2