通过带有Spring Boot后端的Google Sign-In登录Android

Question

As the title says, I'm trying to use the Google Sign-In API with a Spring Boot backend server, as described here .

Just to describe the context, the Spring backend is basically a resource+authentication server, that is currently providing Oauth2 authentication to a second spring boot application containing the frontend website, via Google SSO or simple form login (similar to what's described here ).

My original idea was to mimic the @EnableOauth2Sso annotation by simply providing an access token to the android app and attach it to every request as "Bearer ". Using the user credentials for this was pretty straightforward: I simply make a request to the server at "/oauth/token", using those credentials inserted by the user as authentication and I correctly receive the access token.

Now, I have absolutely no idea on how to build a similar procedure with the Google API in Android. The tutorial page I linked before describes how to get a token ID and how the server should validate it, but after that I don't know what to do.

So far I've managed to add a filter to the security chain that simply checks the token like this:

    private Authentication attemptOpenIDAuthentication(@NonNull String tokenString){
        String clientId = authServices.getClientId();
        GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, factory)
        .setAudience(Arrays.asList(clientId, androidClient))
        .build();

        try {
            GoogleIdToken token = verifier.verify(tokenString);
            if (token != null) {
                return authServices.loadAuthentication(token.getPayload());
            } else {
                throw new InvalidTokenException("ID token is null");
            }
        } catch (GeneralSecurityException | IOException e) {
            throw new BadCredentialsException("Could not validate ID token");
        }
    }

This manages indeed to create an Authentication object, but how can I generate an access token after the authentication filtering?

To recap, so far I've got:

1. The Android app successfully retrieves the Google token ID and sends it to the server

2. The server sucessfully intercepts the request and validates the token

I'm basically missing the third point where I return a proper access token to the Android client. Here you are a simple scheme to better understand the situation:

Is there any other way to validate the token and get an access token from the server, or should I completely change the authentication procedure on Android?

Answer 1

As far as I can tell: Yes, you need an access token from the server. If I understand this correctly, a webapp is already authenticated via Oauth on your backend, so the procedure is similar here: Load the user with the google-ID and generate a token. In my application I used a JWT which is valid for 30 days. If the token expires, the Google authentication in the app is usually still valid, so the token can be renewed using the Google ID. With Oauth you can also send a refresh-token directly. It is important that the app always checks the Google authentication first and only in a second step that of the backend.

For the Authentication process on the backend u may need to manually implement a dedicated securityConfiguration for this. Have a look at the jhipster project, they implemented a custom jwt-authentication which may give you an idea how it works.