0

I'd like to develop an android app where the user can authenticate with his Google account. Then I'd like to use the Google account details also in my C# backend (not for accessing Google APIs, at least for now, but rather to spare an additional user management system). The transport layer will be gRPC. There seem to be numerous ways to do this and I chose the following for the moment:

  • In Android use the GoogleSignIn client to allow the user to log on. From the SignIn client I get the account details as an ID token (which is actually a JWT)
  • Send the JWT along with a gRPC call as metadata (in the RequestHeader)
  • Extract the JWT on the C# backend and validate it using GoogleJsonWebSignature.ValidateAsync from the Google.Apis.Auth nuget package. This returns all the relevant info I need in the backend.

For the beginning this was all quite easy and works well. The only downside is that the JWT will eventually exipre and needs to be refreshed :-(. How the f.. do I do this?

Is this a good approach? Any other ways to do it better? How do I refresh the JWT? BR, Daniel

Daniel
  • 597
  • 11
  • 19

1 Answers1

0

When the JWT expires, you should be able to just re-initiate your own client auth flow and get a fresh JWT from the client via calling GoogleSignIn.getIdToken() again.

Relatedly, you can explicitly authorize the server to obtain a refresh token (see Android: How to get Refresh Token by Google Sign-In API?) but that only would let your server make Google API calls on the user's behalf. Since your main use case is using GoogleSignIn as a user management system for your own client/server app, you should let the client app obtain a fresh token and re-send that to the server for validation.

Eric G
  • 4,018
  • 4
  • 20
  • 23
  • This pointed me to the right direction and I implemented https://developers.google.com/identity/sign-in/android/offline-access#enable_server-side_api_access_for_your_app which seems to be about the right way to do it. – Daniel Jul 19 '18 at 07:18