*The Story:* I am making an Android app that allows a user to purchase a subscription, and does not require the user to have an account or login. I want to check whether or not a user has purchased a subscription, and the Google Play Android Developer API seems to provide this service<https://developers.google.com/android-publisher/v1/> .
*The Problem (TL;DR):* Should I use OAuth as a "web application", "installed application", "service application", or none of the above? *The Problem:* To get started with this, I am told: Access to the Google Play Android Developer API is authenticated using the OAuth 2.0 Web Server flow. Before you can use the API, you will need to set up an APIs Console project, create a client ID and generate a refresh token. -source<https://developers.google.com/android-publisher/authorization> Fair enough. There are then setup instructions that go on to say: On the second page, select web application and set the redirect URI and Javascript origins. My application does access the Internet, but it is an installed Android app, *not* a web application, so I don't have a "redirect URI" or "Javascript origins" to link it to. Additionally, this would require a user to log in, which I do not want and is not necessary in my case (I just want to check whether or not the user has purchased a subscription). So if instead of a "web application" I try to create an "installed application (Android)", this still requires a user login, to be able to manage the user's resources. I do not want this. There is a third alternative called a "service account" that does not require a user login: A Service Account is used when you have a service that wants to handle its "own" resources (e.g., an App Engine app that manages Compute Engine resources), as opposed to the resources of an external user (e.g., the standard OAuth flow). Using a Service Account the app will be the owner of the resources... If you use a Service Account, you will only get data about the service's purchases. -source<http://stackoverflow.com/questions/12359824/what-is-the-difference-between-a-service-account-and-an-installed-application> I'm not sure if that is what I want in my case... Finally, there is also this option: The simplest flow is one where no end-user authorization is needed. You still need to identify your client application using the API key. -source<https://code.google.com/p/google-api-java-client/wiki/OAuth2> This seems perfect! However, I was told initially that to use the Google Play Android Developer API I need to authenticate with OAuth 2.0, and this does not use a client ID which I was initially told that I specifically need. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/RsBxrA7-C54J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
