Tomer Weller Tomer Weller - 1 month ago 4x
Android Question

Webservice credentials - OpenID/Android AccountManager?

I'm building a webservice and would like to use the user's google account credentials.

The service runs on GAE and will have a web client and an Android native client.

This is my first attempt of something like this and I've been reading about OpenID and the Android AccountManager library.

I'm still not sure what are my options in terms of storing the users in my Datastore. What Identifier should I use ? Is it possible to use OpenID on a native Android application ?

Any help and/or pointers would be appreciated. Thanks.


We had a similar requirements on the last project: GAE backend with GWT frontend and Android/iPhone clients. Also, we did not want to store user credentials.

So we choose to use OpenID, which is unfortunately a Web standard and does not play well with mobile devices, but is doable.

On the GAE side we simply enabled federated login which gave us OpenID.

On mobile devices, when user needs to login we present to them a list op OpenID authenticators (Google, Yahoo, etc..). Then we open a native browser (not embedded browser) and direct user to chosen OpenID authentication site. The upside is that user's browser usually already has username/pass remembered, so this step just requires user to press one button.

This is all pretty straightforward. Now here is the tricky part: After user confirms login, OpenID redirects back to our GAE return url (you need to provide this url when request is made). On this url we create a custom URL, for example:


where XXXYYYZZZZ is auth token. We get this token from the return page where it's stored as an ACSID cookie: we used some JSP to read this cookie and wrap it into above custom URL.

Then we register our Android and iPhone apps to handle the yourappname:// URLs, so that when user cliskc this link, our app is invoked and the link is passed to it. We extract user name and token from this link and we use it in REST requests to the GAE backend.

If you have any more questions I'd gladly update this post.


The user session cookie on production AppEngine is named ACSID, while on development AppEngine server it's named dev_appserver_login.