how do you authenticate a user between two services, if they are both using a common third-party oauth service?
Posted
by
urandom
on Stack Overflow
See other posts from Stack Overflow
or by urandom
Published on 2012-06-21T17:05:04Z
Indexed on
2012/06/23
9:16 UTC
Read the original article
Hit count: 192
I'm currently experimenting with oauth logins on a website, using google oauth2. While I set that up without too many problems, I saw that there isn't some kind of permanent token, which only google and the authorized service know about a user.
Also, from what I gathered, if I were to create a companion app on android, the preferred way is to go with AccountManager, which seems to handle giving oauth2 access tokens for google accounts. But if I authenticate myself from the anroid app using a google account, how do I now link that user to the same one in the web app?
One way I think this can be done if the user also logs into the web app as well, so that the server receives a fresh access token, and the android and web one are compared. But that seems like a huge hassle, and I haven't seen many other apps do that. Another is to use a refresh token on the server, but that would require extra permissions which might put off any potential visitors.
So what is the general workflow for achieving this? Or am I thinking the wrong way?
© Stack Overflow or respective owner