Serverside user-identification

StackOverflow https://stackoverflow.com/questions/22758267

Question

So this might gonna be a newbe question.

I'm developing an REST(ful) JSON application programming interface with PHP. This API will be primarily accessed by Android-devices via an App. Due to the fact only people with G+ Accounts will use this app I want to use Google API for user-authentication. So far, so simple.

But I'm using GoogleAPI for the first time and I read interesting and needed parts of the Google API DevDocs. So I found the google-api-php-client that I'm using for now.

Here is how I thought this auth-process works:

  1. User logs into G+Account on mobile device (or similar; I read something about an PlayStore ID Token or something here)
  2. The app does have a token now (like stated here (response)) "access_token":"1/fFAGRNJru1FTz70BzhT3Zg", "expires_in":3920, "token_type":"Bearer"
  3. Android-App sends Request to my PHP API like GET /meeting/:id and sends the access_token (1/fFAGRNJru1FTz70BzhT3Zg only), too.
  4. My app can take the access_token and can ask googleAPI/people/me for the ID of the user.
  5. User is identified in request on my API and the magic can go on

But there is a problem with the mentioned Google-lib for PHP: the function setAccessToken($accessToken) requires the whole JSON-response as the docs says: {"access_token":"TOKEN", "refresh_token":"TOKEN", "token_type":"Bearer", "expires_in":3600, "id_token":"TOKEN", "created":1320790426} (see here) of a auth-request to GoogleAPI.

It can't be the solution to send the whole JSON-response with id_token, refresh_token and access_token to my API on every request as this will cause huge load of traffic and I'm sure that there is a simple solution, but I don't see it.

I hope I could explain my thoughts and problems properly and I hope that my english is not that bad.

Was it helpful?

Solution

I just solved this.

The id_token is enough to identify the User. When the android app sends a request with the id_token in it the server can ask google for its identity.

In google-api-php-client this works with: $id_token = $_GET['id_token']; $client = new Google_Client(); $attr = $client->verifyIdToken($id_token)->getAttributes(); echo $attr['payload']['sub'];

I found this in Google API Docs (there's also a "Recommended flow"-description) and with help of one of the mentioned link in the question.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top