I am creating an Android app and want to use SSO to make it easy for users to sign in to the application using their Google or Facebook account. The app stores its data a server so the user can access it from different devices. On the server, I am planning to use the user’s email to identify the user.
On the client I know the email belongs to the user, but how can the server be sure that it’s the real user and not an attacker that sends another user’s mail address to the server?
Do I have to obtain and send the access token to the server together with the email and have the server verify the email using this token or is there something else I can do?
Since the I’m only interested in the email for logging in it would be convenient to just fetch the mail address once and remember it on the client until the user signs out of my app. However if I need to keep the access token as well I need to regularly check if it’s expired and renew it if needed.
After more investigation and thinking I have decided to send the access token to my server (over https) and have the server use that to get the email address of the user from Facebook/Google.
It seems to be a pretty standard way to handle this scenario and if I do this I don’t have to come up with some own solution that is bound to overlook some scenario and leave gaping security holes.