{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Evening l夕情丶 的问题《Android app + webserver API using Federated login》','https://www.manongdao.com/q-708994.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have an Android app that needs to upload data to an API (API will then save data in MySQL DB). I would like to use a Federated login (Google) or OpenID authentication procedure so that user does not need to register email + password for my app, but rather can use Google (or other account) that is saved in AccountManager.
Up until early this year, the solution was using GAE, as per Nick Johnson's famous recipe. But since Google started charging for the use of GAE, this is not a viable solution anymore. PLEASE DO NOT RECOMMEND USE OF GAE.
Has anyone ever managed to solve the problem of authenticating with Federated Login OR OpenID and then getting authorization on a third-party (your) webserver API?
NOTE: OAuth would be a straightforward solution for authorization except that it would rely on interacting (in a trusted manner) with a previously authenticated consumer, which is not the case when you authenticate the app user (on the mobile) using FedLogin or OpenID. OAuth works if my app (mobile + webserver) authenticates user (and I store login + password — which is EXACTLY what I am trying to avoid), but not if Google (or FB) do this for you.
That's what OpenID Connect does. Demo app here.
As for GAE, it still has a free tier (28 frontend instance hours, enough to run 24/7) an it should be enough for you if you don't get much traffic. Anyway you do this, you have to run a server somewhere (even if it is your own machine), so there is not way to make this completely free. So yes, GAE is a viable option. You can start off for free and scale up as needed. There are other reasons to avoid GAE, but 'I have to (at some point) pay (something), therefore scrap it', is definitely the wrong mindset.