I am interested in starting a cross-platform web application (web + mobile), which should have its own loyal user base (like any good application).
The backend runs on Yii2 (PHP) and provides several REST endpoints that require user authentication (oAuth2 access token). A user can obtain an access token by calling the selected API login endpoint, which is the easy part and is not related to this issue.
My web version of the application also allows users to log in through an external SSO (e.g. Google+), which forces the user to automatically create in the internal user database as well (plus connects to an external Google ID, so subsequent SSO requests by the same user force the same " internal "user automatically register).
This is great for the API + REST API pair, however, when we display Android in the picture, everything starts to get complicated.
The Android application can provide the user with the opportunity to enter their Google+ profile through the standard Android SDK, and we can get his Google ID in this way. However, the problem is how to safely exchange the Google identifier set in the Android application for the access token issued by the REST API without asking the user for his username and password in our internal database (the password is automatically generated during the first SSO login, therefore the end user never knows his password, he uses only SSO to log in to the web and mobile platform). The keyword here is “safe” because if we just believe that the Android application authenticated the user correctly and somehow “renamed” the connection between the Android application and the REST endpoints (for example, through a “service access token”, which only an Android application knows), a potential hacker can redesign or sniff the connection between them and can directly access REST endpoints, identifying themselves using the same trusted access token. In fact, getting an access token for any random user.
source share