带有 Google+ API 的 Android 应用程序：客户端 ID 还是 Android ID？

Question

I'm trying to develop an application that makes use of some basic Google+ Apis. The app request a token from Google that then upload on my server and my server check for its validation with Google. What I don't understand (I'm a bit confused) is what's the difference between Client ID for Web application and Client ID for Android application in Google Developers Console. I've tried both of them on the Android app and both work (successfully obtained a token). Obviously, when using the Web Client ID, my SCOPE that I pass using GoogleAuthUtil.getToken() is different from the one using Android Client ID. So, what's the difference between them? I think that I should go for the Android Client ID, but I'd like to know the really differences.

On client side I use:

final String token = GoogleAuthUtil.getToken(mContext, userEmail, G_PLUS_SCOPE);

Where G_PLUS_SCOPE = oauth2:https://www.googleapis.com/auth/plus.me

On server side, I check with Google with this code:

GoogleIdToken token = GoogleIdToken.parse(mJFactory, getRequest().getAuthToken());

        if (mVerifier.verify(token)) {
            GoogleIdToken.Payload tempPayload = token.getPayload();
            if (!tempPayload.getAudience().equals(mAudience)) {
                problem = "Audience mismatch";
                errorMessage = new ErrorMessage(ErrorCodes.AUDIENCE_MISMATCH,problem,null);
                mResponse = new ErrorResponse( errorMessage);
            }
            else if (!mClientIDs.contains(tempPayload.getAuthorizedParty())) {
                problem = "Client ID mismatch";
                errorMessage = new ErrorMessage(ErrorCodes.CLIENT_ID_MISMATCH,problem,null);
                mResponse = new ErrorResponse(errorMessage);
            }

I also don't understand what's the exact value of mAudience. Do I need to put the Client ID as mAudience? And, is the mClientIDs the array containing all the key (Including the Android client ID key)?

Thanks for your help

EDIT: Following http://android-developers.blogspot.it/2013/01/verifying-back-end-calls-from-android.html I've read that the Audience is the Client ID for Web Application and the mIds are all the ID for installed application (1 for me because I've only Android). But I'm not sure if this is the right way of thinking it for every case.

Answer 1

I don't have answer to your question but I found this blog which can help you out:

http://www.androidhive.info/2014/02/android-login-with-google-plus-account-1/

I hope this helps you.

Answer 2

Technically the audience is the client ID which the ID token is intended to authenticate the user to, where the authorized party is the client ID which the ID token was issued to:

http://openid.net/specs/openid-connect-core-1_0.html#IDToken

You should verify both when both are provided. When requesting an ID Token from your Android app, you should use the Client ID of your server to make the request. Your server should then verify that it is the audience for the token when it receives it from your Android client.