|
|
|
|
|
|
by bobbyrullo
3690 days ago
|
|
|
I had the same questions, and it's very hard to find the answer - took me a very long time to piece this together but this is how Google does it: 1) You create a "normal" client in Google Developer console (i.e. a web client)
2) You create a native/Android client in the same project. This client is shared across all phones.
3) You add a scope of audience:server:client_id:$NORMAL_CLIENT_ID to auth requests from the mobile.
4) You get back token minted for the web client, from the native client! This is how it works: https://developers.google.com/identity/protocols/CrossClient... The reason it is safe is because you can only do the cross client stuff from a mobile client, which disallows any redirect urls except for localhost and a couple of other special URIS (see https://developers.google.com/identity/protocols/OAuth2Insta...) It's ok that the secret is not really secret because it's not possible to use it to making a Phishing site since the redirect URL is localhost. I guess that doesn't answer your "how does it identity the app developer" but it does tell you how these things are deployed at least, and the important fact that there's just one client (not one for every device) |
|
|