Authenticate with a Backend Server

If you are using the now.gg Login with an app that communicates with a backend server, you may need to identify the currently signed-in user on the server.

To securely identify the signed-in user using a backend server:

Send the user’s ID token to your server using HTTPS after the user is logged in successfully.
On the server, verify the integrity of the ID token using Verify Token API and use the user information contained in the token to create a new account or establish a session.

Warning

A modified client app can send arbitrary user IDs to your server to impersonate users. Hence, you must not accept plain user IDs on your backend server, such as the ones you get using userData.getUserId() method.
Instead, you use the verifiable ID tokens to securely get the user IDs of logged-in users on the server side.

Send the ID token to your server

Send the ID token to the tokensignin API on your backend server with an HTTPS POST request:

   HttpClient httpClient = new DefaultHttpClient();
    HttpPost httpPost = new HttpPost("https://yourbackend.example.com/tokensignin");
  
    try {
       List<NameValuePair> nameValuePairs = new ArrayList<NameValuePair>(1);
       nameValuePairs.add(new BasicNameValuePair("idToken", idToken));
       httpPost.setEntity(new UrlEncodedFormEntity(nameValuePairs));

       HttpResponse response = httpClient.execute(httpPost);
       int statusCode = response.getStatusLine().getStatusCode();
       final String responseBody = EntityUtils.toString(response.getEntity());
       Log.i(TAG, "Signed in as: " + responseBody);
     } catch (ClientProtocolException e) {
       Log.e(TAG, "Error sending ID token to backend.", e);
     } catch (IOException e) {
       Log.e(TAG, "Error sending ID token to backend.", e);
     }

Verify the integrity of the ID token

After you receive the ID token by HTTPS POST on your backend server, you must verify the integrity of the token using Verify Token API

     
    import requests
     try:
        url = "https://now.gg/accounts/oauth2/v1/verify-token"
        payload={
         "token_type": "id_token",
         "token": < id_token > ,
         "client_id": < your_oauth_client_id >
        }
        headers = {
          'Content-Type': 'application/json'
        }
        response = requests.request("POST", url, headers=headers, data=json.dumps(payload))
         print(response.text)
         #token verified
     except:
         #token not verified
         pass

     
    var axios = require('axios');
     var config = {
         method: 'post',
         url: 'https://now.gg/accounts/oauth2/v1/verify-token',
         headers: {
             'Content-Type': 'application/json'
         },
         data: {
             "token_type": "id_token",
             "token": < id_token > ,
             "client_id": < your_oauth_client_id >
         }
     };

     axios(config)
         .then(function (response) {
             console.log(JSON.stringify(response.data));
         })
         .catch(function (error) {
             console.log(error);
         });

Create an account or session

After you have verified the token, check if the user is already in your user database.

If the user is present in your database, establish an authenticated session for the user.
If the user isn’t yet in your user database, create a new user record from the information you received in the ID token payload, and establish a session for the user.

Note: When you detect a newly created user in your app and save this user in your database, you can get any additional profile information you require from the user.

Using Profile Information