This is my understanding about auth flow for a web application;
This is recommended for mobile application, as per RFC 8252
When I go to Google developers console > Create Credentials > OAuth Client id > Android [Application type], it asks me for: name, SHA1 fingerprint, and package name.
I'm assuming that the redirect URI is not required, and my app will get the control or rather auth code when a user authorizes my application as I'm setting the package name when I create credential. (As given in this answer). Please correct me if my understanding is wrong.
At this point, I need to send the auth_code to the server for validation which requires client id, and secret. But I'm not provided with any client secret at the time of creating credentials.
So how exactly this whole thing should work?
UPDATE
I tried to generate configuration from their tutorial. It generated 2 credentials: one for web application, another for Android. It has also generated a credentials.json which contains an entry for
web-client. Now if I understnad correctly, this code will go in android app to get auth code.
GoogleSignInOptions gso = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
.requestEmail()
.requestServerAuthCode("client id issued for web application")'
.build()
However, if my above finding is correct then it raises more questions to validate my finding.
- When will I pass client id generated for Android?
- What will be the redirect URL in this case? ( I don't think we need to set it)
- Will I've to use all the client IDs at server side to validate the auth_code?