I'm trying to set up Google OAuth with my iOS app and Rails web app. I have 2 separate clients (with of course different client IDs, but with the same prefix) set up in the API Console. One for the iOS app, and the other for the web app (which also has a
I am the lead maintainer of AppAuth, and work on the Google Identity Platform; hopefully I can help.
I want to use the AppAuth SDK on iOS to get the user's auth code, then send that to my web app, which will then perform the exchange for the access token.
First of all, does this sound like a reasonable thing to do, or is it not possible to split the transaction across clients like that?
Exchanging the code on your server sounds reasonable, however I think the configuration you are using is possibly incorrect. If you are requesting a code for exchange on your server, use the server's client id in the request to the authorization server. From your description it sounds like your authorization server request is sending your iOS client ID, and you are then doing the exchange with your server client ID, and I believe this is why you are seeing an "unauthorized_client" error.
This is not terribly well documented, apologies for that. It is alluded to in this section of the documentation on "offline access", though it talks about it purely in terms of Android usage via GoogleApiClient.
is it necessary to pass this code verifier to the server? Seems a little strange.
The intention behind PKCE is to ensure that the entity making the authorization request is the same as the entity making the code exchange request. The
code_verifier should not leave the device under normal circumstances.
However, it is not necessary to use PKCE if you are exchanging your code using a client secret controlled by your backend; you can disable PKCE in AppAuth for this scenario.