OAuth 2 with IOS, node.js, passport and google

Question

OAuth 2 with IOS, node.js, passport and google

I'm trying to get a sample web application working using OAuth 2 for security that accepts IOS clients and am having a bit of trouble.

Browser Client

Using the node.js/passport example code from I added my google client ID + secret (https://code.google.com/apis/console). Works great- all I had to do was make the redirect URI point at my server's authorization callback.

IOS Client

Using the same server side code as above, and the gtm-oauth2 library for IOS, I've had some trouble. I created a client ID for installed applications per google's instructions, and modified the server to use those and added them to the ios app. The app is able to get to the google sign in page, but on redirect gives an error (which makes sense, because I didn't change the redirect uri).

Google gives me two options for the redirect URI:

urn something or other
localhost

The server requires some sort or redirect, but subbing in the IOS redirect URIs is not working, and it doesn't seem like they should given that the server needs to have a certain URI called for validation:

passport.use(new GoogleStrategy({
    clientID: GOOGLE_CLIENT_ID,
    clientSecret: GOOGLE_CLIENT_SECRET,
    callbackURL: "http://127.0.0.1:3000/auth/google/callback"
  },
  function(accessToken, refreshToken, profile, done) {
    // asynchronous verification, for effect...
    process.nextTick(function () {

      // To keep the example simple, the user's Google profile is returned to
      // represent the logged-in user.  In a typical application, you would want
      // to associate the Google account with a user record in your database,
      // and return that user instead.
      return done(null, profile);
    });
  }
));

...

app.get('/auth/google/callback', 
  passport.authenticate('google', { failureRedirect: '/login' }),
  function(req, res) {
    res.redirect('/');
  });

app.get('/logout', function(req, res){
  req.logout();
  res.redirect('/');
});

I get two different errors:

Using the redirect that worked for the browser client, and the installed/ios app client ID + secret - redirect error
Using the ios client ID + secret + ios + redirect (urn) - client error

Do I need to add the IOS redirect URI to the IOS client, or put in some sort of redirect param in the node.js server to tell it about the client? Or am I missing something basic?

ios
node.js
oauth-2.0

Answer 1

What you are trying to achieve here, i.e. using the same credentials for the Installed Application and the Web Server Applications flow, won't work. Google knows for which type of application they issued the credientals and enforces this. (This is wrong, see comments.)

The typical way for your scenario would be to implement the Web Server Applications flow on your server and initiate the login by opening the authorization endpoint URL on the iOS device, but setting the redirect_uri to your server. That way you get the access token and refresh token on your server and can call the Google APIs from there.

How you communicate between your iOS client and your webserver is then completely independent from everything else.