Home » Android » google api – validating Android's authToken on third party server

google api – validating Android's authToken on third party server

Posted by: admin June 15, 2020 Leave a comment

Questions:

I’m writing an Android application, which uses AccountManager to get the token. From an android app I’m able to interact with Google Picasa – it works fine.

What I would like to achieve is the following: send some text + authToken to my third party server, then check if the token is correct before saving the text. Now the question is: is it possible to determine if the authToken of a particular token is correct solely on the token itself (and maybe email address).

I’ve already programmed the server part, which accepts the token (send from android application), then issues a request to an URL address:

https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%

What I get back is the following JSON:

{
  "error" : "invalid_token"
}

But the link here http://oauthssodemo.appspot.com/step/4 states that if a token is correct I should receive a different JSON response. Can you tell me what I’m doing wrong: I believe that the way to check token’s validity really isn’t that simple, but I should rather implement the whole openid or something. Even if that is the case, how can I check whether the token send by android app is correct, so I can save the ‘text’ part of the message.

Thank you.

How to&Answers:

Stop using AccountManager and start using Google Play service’s GoogleAuthUtil class, then it gets easy. See http://android-developers.blogspot.ca/2013/01/verifying-back-end-calls-from-android.html

Answer:

The solution is as follows. You can verify the token via this url:

https://accounts.google.com/o/oauth2/tokeninfo?access_token=%token_here%

But in my case I was trying to validate “Authorization code” and not “Access token” as you can see here: https://code.google.com/oauthplayground/

If you’re using Android and OAuth don’t use

lh2 

but rather use the following as service name:

http://picasaweb.google.com/data/

So you should call getAuthToken as follows

getAuthToken(account, "http://picasaweb.google.com/data/" , true, null, null);

Then you can validate the token received from this call on the URI posted above.

Answer:

read this
https://developers.google.com/accounts/docs/OAuth2WebServer

After the web server receives the authorization code, it may exchange
the authorization code for an access token and a refresh token. This
request is an HTTPs post, and includes the following parameters:

Answer:

I came across passport-google-token passport strategy which perfectly performs the task.

https://www.npmjs.com/package/passport-google-token

More details are present in the above link.

Answer:

Based on information in this answer: What is the proper way to validate google granted OAuth tokens in a node.js server? ,

you might try using id_token instead of access_token in the url to call Google’s tokeninfo endpoint.