I am making an Android app which should be able to get data from a web service (which is not part of GAE). Users are able to log in to web service through their browser by using OpenId (only Google accounts are allowed).
AccountManager can give me authtoken. I could save this authtoken on my server, together with user's google account name (email) and then use this account name to connect his openid login with app registration.
But this does not solve anything because I have no way to verify this token against user's OpenID information... Or do I? I thought I could use user's authtoken to "somehow" link his android account to the web account.
This looks more and more like a wrong way to handle this but I do not want to save users Google's username/password in SharedPreferences and use these data for login.
Any creative ideas? Thanks
I solved this exact issue for my app Push Actions - http://www.pushactions.com. For my solution, I did end up using GAE, but only to authenticate the token. The actual Push Actions app is hosted on Heroku. Here's my flow:
As far as I know, this is the ONLY way to verify if a token generated by AccountManager is valid. True, it does require the use of GAE, but only for one small piece of your overall app. My GAE service ended up being like 1 class and a few lines of code, so it isn't much. You can think of the GAE piece as a service provided by google for authenticating tokens.
Here is the code for my GAE service:
logged_in.jsp:
logged_out.jsp: