Add server auth code flow

rhishikeshj / Xamarin.GoogleAuth

Cross platform plugin for doing Google Authentication for Xamarin iOS and Android apps

BSD 2-Clause "Simplified" License

8 stars 4 forks source link

Add server auth code flow #1

Open trevoriancox opened 7 years ago

trevoriancox commented 7 years ago

The access code returned by GetAuthToken can only be used in the client; it cannot be passed to a server. This means you can't use this library for Google Sign In if you need to be signed in on your server.

This is a feature of GoogleSignIn. I'm adding GetServerAuthCode() to the interface. I have it working for iOS.

For Android, there is an additional issue that GoogleAuthUtil, used in this library, seems to be deprecated and may not return the server auth code:

If you use GoogleAuthUtil to get a server auth code, you should migrate to the new Sign-In API auth code flow.

https://developers.google.com/identity/sign-in/android/migration-guide

rhishikeshj commented 7 years ago

Thanks for pointing this out Trevor. I ll definitely take a look and make sure I improve the API.

sanjogs commented 7 years ago

@trevoriancox To get the ServerAuthCode on iOS, Where do we configure SignInOptions for GoogleSignIn?

rhishikeshj commented 7 years ago

Hi @trevoriancox, Thank you for raising this issue. I have updated the Android code for the plugin and it now follows the new Authentication mechanism which Google recommends.

Regarding the ServerAuthCode and IdToken APIs :

According to the Google documents on Sign-in integration here : https://developers.google.com/identity/sign-in/ios/backend-auth and https://developers.google.com/identity/sign-in/android/backend-auth, the recommendation is to use the IdToken for authentication on the backend server. Can you please let me know why IdToken will not work for your backend server authentication ?

rhishikeshj commented 7 years ago

Fixed here : https://github.com/rhishikeshj/Xamarin.GoogleAuth/commit/9b89b8bb103dc55b058dfff96012f987baf96bbd

trevoriancox commented 7 years ago

@rhishikeshj You are right, thank you for pointing that out! I do only need id_token for my application. This also avoids asking the user for the unneeded "offline" permission.

reesesm2000 commented 5 years ago

Reopening this thread. What I need is to get a serverAuthCode from the OAuth2 flow. This means that not only will a token be returned but also a code that can be sent from the client to the backend server. This allows the server to convert that code into a token/refresh token for itself to use when contacting the Google servers without the user using the app. See this link for more details. https://developers.google.com/identity/sign-in/ios/offline-access Would be great for this to be part of the Xamarin.Auth library.