I wanted to leave my own experience here so that others can see that it's not just a matter of using the existing Id returned from an authorised request to the user profile endpoint, as this is not the ID required by the Chrome Payments API...
Short Answer
It's not possible to use only OAuth2.0 for a hosted app. The only options for a hosted app are:
- Use the deprecated OpenID (see detailed answer)
- Use In-app Payments using Google Wallet for Digital Goods
Long Answer
We still have to use OpenID, however Google has provided a migration path for OpenID users to OAuth2.0 called OpenID Connect. The aim of this migration is to map the old fedId
field to new the Google+ User Ids.
This allows us to retrieve an OpenID identifier using an existing OAuth 2.0 process.
Caveat: The Google .NET Client APIs do not support this migration path. So authentication must be done manually or using a 3rd party OAuth library.
Howto:
As per usual OAuth flow, direct the user to the Authenticate endpoint (https://accounts.google.com/o/oauth2/auth) with the following variables:
- openid.realm=
http://localhost
** Required, wherehttp://localhost
matches your redirect_uri variable - scope=openid profile https://www.googleapis.com/auth/chromewebstore.readonly ** Both
openid
andprofile
scopes are required in order to retrieve the OpenID identifier. Thechromewebstore
scope is required to query the payments API.
- openid.realm=
Then exchange the code for an access token from the Token endpoint (https://accounts.google.com/o/oauth2/token)
- At this point you will receive the standard
access_token
,refresh_token
, etc variables but also an additionalid_token
variable. - This
id_token
is a JWT-encoded string containing the OpenID information. - Decoding this JWT-encoded (you can use this C# JWT Library) string will give you a JSON string in the following format:
{ "aud": "<googleuserid>.apps.googleusercontent.com", "at_hash": "<hashcode>", "iss": "accounts.google.com", "openid_id": "<!! The fedId we require !!>", "exp": <id>, "azp": "<googleuserid>.apps.googleusercontent.com", "iat": <id>, "sub": "<googleuserid>" }
- At this stage we've finally found what we're looking for, the
openid_id
. This can be used to communicate with the Chrome Payments API
- At this point you will receive the standard
While still using the same OAuth credentials, make a signed request to the following URL:
https://www.googleapis.com/chromewebstore/v1/licenses/{appId}/{openId}
{appId}
is the ID of your app within the Chrome Web Store{openId}
is theopenid_id
from the JWT response