how do you authenticate a user between two services, if they are both using a common third-party oauth service?

Posted by urandom on Stack Overflow See other posts from Stack Overflow or by urandom
Published on 2012-06-21T17:05:04Z Indexed on 2012/06/23 9:16 UTC
Read the original article Hit count: 192

Filed under:
|
|

I'm currently experimenting with oauth logins on a website, using google oauth2. While I set that up without too many problems, I saw that there isn't some kind of permanent token, which only google and the authorized service know about a user.

Also, from what I gathered, if I were to create a companion app on android, the preferred way is to go with AccountManager, which seems to handle giving oauth2 access tokens for google accounts. But if I authenticate myself from the anroid app using a google account, how do I now link that user to the same one in the web app?

One way I think this can be done if the user also logs into the web app as well, so that the server receives a fresh access token, and the android and web one are compared. But that seems like a huge hassle, and I haven't seen many other apps do that. Another is to use a refresh token on the server, but that would require extra permissions which might put off any potential visitors.

So what is the general workflow for achieving this? Or am I thinking the wrong way?

© Stack Overflow or respective owner

Related posts about android

Related posts about google