问题
The app I am working on consist two parts:
- Native android app
- Web service
I want to implement a login procedure between the app and the webservice that is based on the user's Google account. Reading Google's developers site I understand how to make the user authorize an API project on his mobile device, what I fail to understand is how to pass it on to the server and how the communication should be dealt with between the native android app and my webservice.
How is the fact that the mobile app used the oauth2 against Google auth servers and got it's access token, secures the communication it has with my server side?
Clarification
Let's say the native app doing the auth process against Google and receives a token. Then the app can access the user profile and fetch he's email address - the email address is his for sure. Now the user sends the email address in the POST data to my service. The email is his, but the server cannot verify it. So lets say if someone finds out the url path and POST data syntax the app sends to my server, he then can inject any email address to that call. How can the server verify the email address as a valid one?
回答1:
For verifying the app user, check out this post: Verifying Back-End Calls from Android Apps
- In the app you can simply receive a Google token-id via the Google Play Services, which is really easy.
- Then you send this token to your backend, where you validate it against a Google API. There are libraries for handling this for you (e.g. for PHP). The payload in this answer also contains the user's email and id if you want to deal with this.
来源:https://stackoverflow.com/questions/17858828/implement-google-login-in-android-client-server-app