Should I verify the OAuth2 token in the Android client or will App Engine itself authenticate user based on the credential passed to the backend API?

Question

I am creating an Android app with an App Engine backend and am trying to use OAuth2 to authenticate users through their Google Account on the Android device, but am not able to figure out if I need to carry out all of the following steps or whether just step 1 would suffice.

Step 1: In this tutorial by Google, they have created a GoogleAccountCredential using the Google account found on the device and passed it to the backend API hosted on App Engine.

Step 2: In this other tutorial, they have passed this credential only if getting an OAuth2 access token in the Android app returns no error.

Step 3: In yet another tutorial, it has been advised that the backend should check the token sent by the Android client to verify that Google generated this token and that the device that asked for the token matches the audience value in the backend.

So my question is: do we really need steps 2 and 3 in an Android app whose backend is hosted on App Engine or does App Engine take care of 2 and 3 if we pass a credential created for the Google Account found on the phone to the backend API?

Another thing is how often and where in my code should I authenticate the app user: 1. Is it required before each endpoint call? 2. Or is it enough to just run the authentication code just when the app launches? 3. Or better yet, if it is enough to authenticate based on just step 1, would it be okay if I get the user's Google email address from the AccountManager, store it with SharedPreferences and create a GoogleAccountCredential based on the stored email whenever I make an endpoint call until the user explicitly asks to sign out or switch account?

Please help me decide which approach would make most sense. Like always, thanks so much for helping out! :)

Answer 1

For sure authenticate on the back end. If you pass them in in the standard way GAE should automatically use that as your credentials. The UserService should give you the user details with no effort on your part on the server side.

Answer 2

Tim's article (step 3) above is correct. When a server receives a token it must verify that it was intended for them. This is something that Google Cloud Endpoints will do for you, by configuring the client IDs / audience fields such as per the example here: https://developers.google.com/appengine/docs/java/endpoints/auth

Answer 3

I ended up passing the GoogleAccountCredential created with the account name found on the phone to the endpoint builder. Then, in the endpoint API method, I added a User parameter which was automatically populated by App Engine after authenticating the user based on the credential passed to the endpoint builder. As a final check, I compared whether User.email was giving the same email address that I used to create the GoogleAccountCredential.