Hello Android-developers,
I think that I'll talk about a recurrent subject but I can't find anything
suiting my needs.
First I'll describe what I'd like to do, then what I've found on internet,
and in the end want I'm looking for (in a perfect world).
1. What I'd like to do ?
For my games (on android devices) I've a simple credential : login +
password. Currently I'm using special login and password for my company, but
I'd like to offer the possibility to log in using *user's Google account.
*
To proceed I'm looking for a potentiel login and password coming from
User's Google account. Then I would like to be able to check server side if
the user had a valid couple {login, password}
2. *First* solution found on the internet : Ask to the user his Google
login, and his Google password, send them to my server, then simulate a
connection of the user to google service to get a google token. If Google's
server send me a token, then the user is authenticated.
This does not suits me. I don't want to manage the user's Google
password, and I'm not sure that I've the right to do that. Anyway I'll not
do that.
*Second *solution request access to the user's google account on the
phone, the user will see a windows showing "the application would like to
access your Google information [...]" with allow and deny. If the user pick
"allow", the application will have a token. This token can be used to
interact with Google's services (like Google calendar etc). I send this
token to my server (as password) and the user's email as login. Then I check
if the token is valid by using it to access a Google service (Calendar for
example). If it work then the token is valid.
This does not suits me because there is no link between the login
(user's email) and the token (used as password). ie, e hacker could ask for
a token with his identity, then send my the token with another email. The
token will be valid and I'll grand him the access with the identity of the
email ... This is wrong.
3. I'd like to have a 3 point authentication:
- First the user is logged in his phone.
- Second the application request the access to the google account
(Using the AccountManager class).
- Then the user accept
- The application get the access to a Google token.
- The application send to a 3rd party server this token and the email.
- The 3rd party server ask to Google server if this token is a valid
token for this google account (email).
This is called a 3 point registration because their is 3 different parts :
phone application - Google server - 3rd party server
All green steps can already be done really easily, But I can't find a way
to validate a couple {Google email, token}
I'm sure that Google already offer something like that. Currently I've
investigate :
- Google api java : http://code.google.com/p/google-api-java-client/
- Google OAuth 2.0 :
http://www.google.com/events/io/2011/sessions/best-practices-for-accessing-google-apis-on-android.html
But I've nothing clause from that.
Any help, idea, is welcome (^_^).
If you need more clarification regarding what I'm trying to do, please feel
free to ask.
Thank you very much.
*Damien Mabin*
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
