I develop a web application with nodeJs. Most of the functions auth protected. I use Oauth2 (Google, Twitter) to authorize users to use the application.
I must create an Android application, what communicate with my backend over http after the user authenticated with Google account in the Android app.
What is the best practice for that?
I think OAuth2 would be good for this job. But how?
You might want to consider using PassportJS (in case you are using ExpressJS as your web application framework).
you can't really use oauth in this case. as this How can I verify a Google authentication API access token? explains, you should not share authentications.
Instead, you should have your mobile app use a separate authentication for backend requests. You could have them login once, generate some secret token you can store in the phone so they don't need to login each time. That token is protected by the google login anyway.