I've been beating my head against the wall for about two days now, time to ask for help.
I've been trying to get my head around the following:
A mobile app user signs in on the app using one of the following:
I'll focus on Google first, the login works (user consents to permission). The app then retrieves a token: GoogleAuthUtil.getToken(mActivity, mEmail, mScope);
Where the scope will be of the form audience:server:client_id:XXXXXX
And XXXXXXX
is the client_id of my webservice.
(The mobile app is also registered on Google Console and it's in the same project as the webserver)
Next the app sends the retrieved token to my webserver where the server can get the payload using $client->verifyIdToken( $id_token );
. My server is using the Google API Client.
But I now wish to use this to let the server retrieve userdata from google, without requesting the user for further permissions (because they already gave the app the permissions). So how do I get from the payload to requesting userdata from google?
I'm still entertaining the idea that I might be completely misunderstanding this whole Oauth2.0 / SSO proces, so any pointers are deeply appreciated!