Finally, i'm Udacity Android Nanodegree Graduate :) . Recently worked with Udacity final Capstone Android Project and dealt with problem to Authenticate with a Backend server (custom RESTful backend server).
Sign-in with Google is most common nowadays and seamless way to create user account for Apps across platforms without dealing with username, password and other logic to protect the unauthorised access, cross platform support such as web using JavaScript, Android Java and even Desktop apps. But securing your backend in a stateless API (REST) is really difficult task to authenticate and identify the user. So, this article is for developers who try to integrate Google OAuth login in Android app and connecting the app to existing Backend server to store users data.
Sign-in with Google is most common nowadays and seamless way to create user account for Apps across platforms without dealing with username, password and other logic to protect the unauthorised access, cross platform support such as web using JavaScript, Android Java and even Desktop apps. But securing your backend in a stateless API (REST) is really difficult task to authenticate and identify the user. So, this article is for developers who try to integrate Google OAuth login in Android app and connecting the app to existing Backend server to store users data.
Authenticate with a Backend server - Sign-in with Google For Android |
Prerequisites :
- 1) PHP / Node.js Web server
- 2) knowledge on making HTTP calls and handling
Concept :
This post will guide you to authenticate users with a backend server after successfully generated access-token by google play-service in android.
- 1) Your Android java code provides you Token after successful sign-in intent which is knows as JWT token
- 2) post the JWT Access token to the Backend Server
- 3) process the Access token by making HTTP get request to Google Token verification service
- 4) If the Http response is successful and provides you with user-data in JSON format - verify the expiry time, iss, azp, aud which you have previously generated with Google API Developer console for Oauth login Android client
- 5) Save the user info to Database/ persistent storage
- 6) Then here goes your own Access token generation mechanism like JWT and send it to your client for upcoming request
- 7) If Token service Http response fails - just discard the Request from client and send error message to client
This code snippet is generic function written in PHP and used as middleware function in slimframework which is useful for developing REST Apps in minutes.
Security Measures :
Here are few measures to look into while developing secure backend. make sure follow these to prevent unauthorised access
- 1) Make sure run your backend server in HTTPS (SSL) to prevent man-in-middle attack
- 2) Authenticate secure REST API end points with middleware
- 3) create strong Access token probably with JWT( JSON web tokens) and reasonable expiry time of token
- 4) verify the token between every request and have refresh mechanism automatically( if needed )
- 5) ensure data embedded in JSON web token is encrypted(AES). By default which is still visible in payload & don't attach any sensitive data with JWT token
- 6) By default JWT token have no expiry time which is considered to be bad practice.(specify a time limit)
- 7) Have a general authentication such as client-id(android unique id), Ip address, browser Agent to prevent fake dummy request.
So, Follow above best practices to prevent any attacks and breaches in your API end points.
Hope you have enjoyed the post, post you own thoughts, additional points as comments. For complete code, projects, hugs/bugs just drop me mail/ chat in Facebook/Google+. share is care.