Authenticate users through Google with Xamarin.Auth

Authenticate users through Google with Xamarin.Auth

I’ve recently worked on a Xamarin app that needed to authenticate its users against Facebook, Google, and Twitter, and needed to retrieve their email addresses.
Xamarin.Auth did the heavy lifting for us, handling all the OAuth authentication flow.
But configuring it for Facebook, Google, and Twitter can be complicated as their configurations are (not so) slightly different.

After quite a bit of struggle, I decided to share every single steps that led me to successfully implement authentication and getting the user’s email address.

In this post, I will focus on integrating Google authentication in your app.

If you’re eager to see some code, here is a sample app: https://github.com/TimLariviere/Sample-XamarinAuth-Google

Google authentication with Xamarin.Auth

Previously Google allowed the use of in-app webviews to handle the authentication flow, like what Facebook and Twitter do.
But at the start of the year, Google changed its policy for native apps.

It now requires the use of native browsers through libraries (CustomTabs on Android and SFSafariViewController on iOS)
Xamarin.Auth uses by default an in-app webview, but it also supports CustomTabs/SFSafariViewController by enabling the IsUsingNativeUI flag.
While it is fully supported, it can be quite complex to compile and run successfully.

Configuring the Google Developer Console

Before coding, we first need to properly declare a new project in the Google Developer Console to get the identifiers required by Xamarin.Auth.

For that, go to https://console.developers.google.com

There, you will be able to create a new project.

Once it’s done, go to “Credentials” and configure the “OAuth consent screen”.
You will need to set at least the “Product name shown to users”, otherwise Google won’t let you create keys for Android and iOS.

Now we need two OAuth client ID, one for each platform.
The information needed differs from Android and iOS.

Let’s look at Android first.

  • Name: It can be anything you want
  • Signing-certificate fingerprint: the SHA-1 fingerprint of your keystore certificate that will sign your APK
  • Package name: the package name of your app

You can find the signing-certificate fingerprint using the command shown.

You will need as many OAuth Client ID as you have Keystore files to sign your app (Debug, Production, etc.).

For iOS, it’s a little simpler.

  • Name: It can be anything you want
  • Bundle ID: the package name of your app
  • App Store ID: the id of your app on the App Store
  • Team ID: the id of your team on developer.apple.com

The last two fields are optional and allow you to retrict the usage of the OAuth Client ID to only your app.

Upon creation, Google will give you the client IDs that we need.

And that’s all for the Google Developer Console part.
Let’s see how to actually implement Xamarin.Auth in a PCL library, shared by Android and iOS.

Implementing Google authentication in the PCL project

1. Installing the NuGet packages

First, we’ll need to add the Xamarin.Auth NuGet package to our PCL project.
For this sample, I’ve downloaded the latest version on NuGet which is 1.5.0.3.

Then, as we plan on getting the user’s email address, we’ll need to call some REST APIs that will reply in JSON.
Just add a reference to the latest Newtonsoft.Json package (10.0.3 at the time of writing).

2. Using Xamarin.Auth

As Google authentication is OAuth2, we will use the OAuth2Authenticator class provided by Xamarin.Auth.
This class comes with several constructors but only one interests us.

new OAuth2Authenticator(string clientId, 
                        string clientSecret, 
                        string scope, 
                        Uri authorizeUrl, 
                        Uri redirectUrl, 
                        Uri accessTokenUrl, 
                        GetUsernameAsyncFunc getUsernameAsyncFunc = null,
                        bool isUsingNativeUI = false);
  • ClientId: the id that we’ve generated on Google Developer Console (Android/iOS)
  • ClientSecret: not needed by Google
  • Scope: magic string telling which permission to grant on authentication
  • AuthorizeUrl/AccessTokenUrl: Google’s URLs required when authenticating
  • RedirectUrl: custom url (doesn’t need to exist)
  • GetUsernameAsyncFunc: we won’t be using it
  • IsUsingNativeUI: the famous flag to enable in order to comply to Google’s new policy

Xamarin.Auth will query the AuthorizeUrl with our ClientId and Scope.
Then, when the user will be authenticated in his web browser, Google will call our RedirectUrl with a bunch of parameters.
Xamarin.Auth will catch this RedirectUrl (with our help, we’ll see that later) and parse it.
Then it will call the AccessTokenUrl to get the actual token that will allow us to call APIs as the authenticated user.

AuthorizeUrl and AccessTokenUrl can be retrieved in the Google documentation.
The Scope can be also retrieved in the Google documentation. Though we will use the “email” scope for our sample.

I’ve extracted the ClientId and RedirectUrl from the PCL project, as it will differ from Android and iOS.

Here’s the result for my sample app:

Auth = new OAuth2Authenticator(
               Configuration.ClientId,
               string.Empty, 
               "email", 
               new Uri("https://accounts.google.com/o/oauth2/v2/auth"), 
               new Uri(Configuration.RedirectUrl),
               new Uri("https://www.googleapis.com/oauth2/v4/token"),
               isUsingNativeUI: true);

The OAuth2Authenticator class comes with two events: Completed and Error
They’re quite simple to understand. The first one will call our handler when the authentication has completed (with the user authenticated or not) and the latter will allow us to react to an error (bad network, etc.)

Auth.Completed += OnAuthenticationCompleted;
Auth.Error += OnAuthenticationFailed;

When the authentication ends, OnAuthenticationCompleted is called and we can check if the user is authenticated and retrieve the precious OAuth token that we need to call other APIs.

private void OnAuthenticationCompleted(object sender, 
   AuthenticatorCompletedEventArgs e)
{
    if (e.IsAuthenticated)
    {
        // The user is authenticated
        // Extract the OAuth token
        var token = new GoogleOAuthToken
        {
            TokenType = 
                e.Account.Properties["token_type"],
            AccessToken = 
                e.Account.Properties["access_token"]
        };

        // Do something
    }
    else
    {
        // The user is not authenticated
    }
}

N.B.: GoogleOAuthToken is part of the sample.

While Xamarin.Auth usually doesn’t need anything else to work, Google authentication is a bit more tricky because it uses NativeUI.
Xamarin.Auth will not be able to react to the redirection to RedirectUrl made by Google.
For that, we will need to intercept the redirection ourselves (inside the Android and iOS projects) and provide the URL to Xamarin.Auth in order for it to ends the authentication flow.
That requires us to keep the OAuth2Authenticator instance somewhere.
I usually stores it as a static field, and clean it when I’m done.

public static OAuth2Authenticator Auth;

That’s all for our Google implementation.

For a more detailed implementation, you can find the whole GoogleAuthenticator file used in the sample.

3. Retrieving the user’s email address

We have done the hardest part. Things are quite simple once we have the OAuth token.

There’s a Google REST API that allows us to retrieve the user’s email address:
https://www.googleapis.com/userinfo/email?alt=json

public async Task<string> GetEmailAsync(string tokenType, string accessToken)
{
   var httpClient = new HttpClient();

   // Provide the OAuth token as an Authorization header
   httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(tokenType, accessToken);

   // Query the API
   var json = await httpClient.GetStringAsync("https://www.googleapis.com/userinfo/email?alt=json");
   var email = JsonConvert.DeserializeObject<GoogleEmail>(json);
   return email.Data.Email;
}

N.B.: GoogleEmail is also part of the sample.

And we’re done for the PCL part!

Implementing Google authentication in the Android project

1. Setting the package name

First, make sure to set your package name properly. It needs to be the same as the one we declared for Android on the Google Developer Console.
Here, I will set it to “com.woodenmoose.xamarin.googleauth”
AndroidManifest.xml

<?xml version="1.0" encoding="utf-8"?>
<manifest (...) package="com.woodenmoose.xamarin.googleauth">
	(...)
</manifest>

2. Installing the correct NuGet packages

The Xamarin.Auth package is required by the Android project as well, as we need it to actually run an activity using CustomTabs.
Fortunately the CustomTabs Support library is a required dependency and will be installed automatically.

A bit of warning
If you continue and run the app now, you will end up with the following runtime exception:

System.MissingMethodException: Method 'Android.Support.CustomTabs.CustomTabsIntent.LaunchUrl' not found.

That’s because Xamarin.Auth with IsUsingNativeUI will rely on CustomTabsIntent.LaunchUrl, which is only present in v25 and beyond.

You’ll need to make sure that you have installed at least the version v25.1.0.
For that, just update the Xamarin.Android.Support.CustomTabs package.
The sample uses the latest version which is v25.4.0.2.
(CustomTabs v23 comes with Support.v4 library which is not required anymore with v25, you can remove it if you want)

3. Intercepting the redirection

As I’ve said earlier, we need to intercept in place of Xamarin.Auth the redirection made by Google.

But first, we need to create that RedirectUrl.
It can be anything you as long as it is a valid URL or respect the following scheme (protocol:/somedata).
But as we don’t have control over the web browser, we need to make sure that Android warns us of the redirection.

For that, we will use deep linking.
If our URL starts with our package name and the web browser tries to navigate to it, Android will launch our app, passing the URL as a parameter.
The second part of the URL is just an identifier to differentiate other deep links that we may be using.

Here, our URL will be: “com.woodenmoose.xamarin.googleauth:/oauth2redirect”

Deep linking in Android requires an Activity with an IntentFilter.

[Activity(Label = "GoogleAuthInterceptor")]
[
    IntentFilter
    (
        actions: new[] { Intent.ActionView },
        Categories = new[]
        {
                Intent.CategoryDefault,
                Intent.CategoryBrowsable
        },
        DataSchemes = new[]
        {
            // First part of the redirect url (Package name)
            "com.woodenmoose.xamarin.googleauth"
        },
        DataPaths = new[]
        {
            // Second part of the redirect url (Path)
            "/oauth2redirect"
        }
    )
]
public class GoogleAuthInterceptor : Activity
{
    (...)
}

When the redirection happens, Android will create a new instance of the GoogleAuthInterceptor activity.
In the OnCreate method, we can get the URL and pass it to our OAuth2Authenticator.
Make sure to finish the activity as we don’t need it anymore.

protected override void OnCreate(Bundle savedInstanceState)
{
    base.OnCreate(savedInstanceState);

    Android.Net.Uri uri_android = Intent.Data;

    // Convert Android Url to C#/netxf/BCL System.Uri
    Uri uri_netfx = new Uri(uri_android.ToString());
    
    // Send the URI to the Authenticator for continuation
    MainActivity.Auth?.OnPageLoading(uri_netfx);

    Finish();
}

4. Running our project

The last step is to run the actual authenticator.
This will launch the native web browser and initiates the authentication.

// "this" is the current activity
var intent = authenticator.GetUI(this);
StartActivity(intent);

All that is left is to glue together all the pieces to make the Google authentication works on Android and retrieve the user’s email address
Configuration.cs

public static class Configuration
{
    public const string ClientId = "723962257721-ql0tki3si3s22l1lsovimivkmnrfm6rr.apps.googleusercontent.com";
    public const string Scope = "email";
    public const string RedirectUrl = "com.woodenmoose.xamarin.googleauth:/oauth2redirect";
}

MainActivity.cs

[Activity(Label = "Xamarin_GoogleAuth",
          MainLauncher = true,
          Icon = "@drawable/icon")]
public class MainActivity : Activity, 
    IGoogleAuthenticationDelegate
{
    // Need to be static because we need to access it
    // in GoogleAuthInterceptor for continuation
    public static GoogleAuthenticator Auth;

    protected override void OnCreate(Bundle bundle)
    {
        base.OnCreate(bundle);

        SetContentView(Resource.Layout.Main);

        Auth = new GoogleAuthenticator(Configuration.ClientId, 
                       Configuration.Scope, 
                       Configuration.RedirectUrl, 
                       this); // Completed/Error events

        var googleLoginButton = 
           FindViewById<Button>(
             Resource.Id.googleLoginButton);
        googleLoginButton.Click += OnGoogleLoginButtonClicked;
    }

    private void OnGoogleLoginButtonClicked(object sender, 
                     EventArgs e)
    {
        // Display the activity handling the authentication
        var authenticator = Auth.GetAuthenticator();
        var intent = authenticator.GetUI(this);
        StartActivity(intent);
    }

    public async void OnAuthenticationCompleted(
                          GoogleOAuthToken token)
    {
        // Retrieve the user's email address
        var googleService = new GoogleService();
        var email = await googleService.GetEmailAsync(
                              token.TokenType, 
                              token.AccessToken);

        // Display it on the UI
        var googleButton = 
           FindViewById<Button>(
             Resource.Id.googleLoginButton);
        googleButton.Text = $"Connected with {email}";
    }

    public void OnAuthenticationFailed(string message, 
                    Exception exception)
    {
        new AlertDialog.Builder(this)
                       .SetTitle(message)
                       .SetMessage(exception?.ToString())
                       .Show();
    }
}

N.B.: GoogleAuthenticator is a PCL wrapper for OAuth2Authenticator that you can find in the sample.

Implementing Google authentication in the iOS project

1. Setting the package name

First, make sure to set your package name properly. It needs to be the same as the one we declared for iOS on the Google Developer Console.
Here, I will set it to “com.woodenmoose.xamarin.googleauth”
Info.plist

<key>CFBundleIdentifier</key>
<string>com.woodenmoose.xamarin.googleauth</string>

2. Installing NuGet packages

Unlike Android, it can be done in a single step.
Just install the Xamarin.Auth package in the iOS project.

3. Intercepting the redirection

Just like Android, we will set up deep linking.

For that, we need to declare a URL type in the Info.plist file.
We only have to declare our package name as a potential URL scheme that will launch our app.

<key>CFBundleURLTypes</key>
<array>
    <dict>
        <key>CFBundleURLName</key>
        <string>Google Auth</string>
        <key>CFBundleURLSchemes</key>
        <array>
            <string>com.woodenmoose.xamarin.googleauth</string>
        </array>
        <key>CFBundleURLTypes</key>
        <string>Viewer</string>
    </dict>
</array>

Or with the editor of Visual Studio:

Then every time Safari tries to navigate to a URL like “com.woodenmoose.xamarin.googleauth:/”, it will run our app and call the OpenUrl method of the AppDelegate class.
Like we’ve done on Android, get the URL and pass it to our authenticator.

public override bool OpenUrl(
           UIApplication application, 
           NSUrl url, 
           string sourceApplication, 
           NSObject annotation)
{
    // Convert iOS NSUrl to C#/netxf/BCL System.Uri
    var uri_netfx = new Uri(url.AbsoluteString);
    
    AuthViewController.Auth?.OnPageLoading(uri_netfx);

    return true;
}

4. Running our project

The last step is to run the actual authenticator.
This will launch the native web browser and initiates the authentication.

var viewController = authenticator.GetUI();
PresentViewController(viewController, true, null);

Also when you’re handling both Completed and Error events from the authenticator, you will need to manually call DismissViewController because the SFSafariViewController doesn’t dismiss itself.

And we glue everything together, this time for iOS!
Configuration.cs

public static class Configuration
{
    public const string ClientId = "723962257721-lcjvps5ag42butfd44tojo01cuj85d8t.apps.googleusercontent.com";
    public const string Scope = "email";
    public const string RedirectUrl = "com.woodenmoose.xamarin.googleauth:/oauth2redirect";
}

AuthViewController.cs

public partial class AuthViewController : UIViewController,
          IGoogleAuthenticationDelegate
{
    public static GoogleAuthenticator Auth;

    public AuthViewController (IntPtr handle) : base (handle)
    {
    }

    public override void ViewDidLoad()
    {
        base.ViewDidLoad();

        Auth = new GoogleAuthenticator(
                       Configuration.ClientId,
                       Configuration.Scope,
                       Configuration.RedirectUrl,
                       this); // Completed/Error events

        GoogleLoginButton.TouchUpInside += 
            OnGoogleLoginButtonClicked;
    }

    private void OnGoogleLoginButtonClicked(object sender, 
                     EventArgs e)
    {
        var authenticator = Auth.GetAuthenticator();
        var viewController = authenticator.GetUI();
        PresentViewController(viewController, true, null);
    }

    public async void OnAuthenticationCompleted(
                         GoogleOAuthToken token)
    {
        // SFSafariViewController doesn't dismiss itself
        DismissViewController(true, null);

        var googleService = new GoogleService();
        var email = await googleService.GetEmailAsync(
               token.TokenType, 
               token.AccessToken);

        GoogleLoginButton.SetTitle($"Connected with {email}", 
            UIControlState.Normal);
    }

    public void OnAuthenticationFailed(string message, 
                    Exception exception)
    {
        // SFSafariViewController doesn't dismiss itself
        DismissViewController(true, null);

        var alertController = new UIAlertController
        {
            Title = message,
            Message = exception?.ToString()
        };
        PresentViewController(alertController, true, null);
    }
}

And that concludes this really lengthy post.
Hope it helps.

10 thoughts on “Authenticate users through Google with Xamarin.Auth

  1. One problem I find with this is that the Authorisation UI does not terminate after the user presses allow. I return to the app but I get a message about closing Custom Tabs by going back to the app. In the Completed handler for the OAuth2Authenticator am I suppose to close the UI somehow?

    1. Unfortunately you can’t.
      While on iOS, it’s up to you to close the UI, on Android there’s no “Close” method. Sometimes it will autoclose, sometimes it won’t. I haven’t figured out why.

      After googling the issue, it appears some people got it to work by tweaking the intent launching part.

  2. Hi, thank you very much for your article, it help me a lot.
    But I still have a problem, with Android it’s working fine while in iOS I received a “redirect_uri_mismatch” after login.
    After googling the issue it seems that it is a mismatch between redirect url in my code and the one specified in the google developper console… But I don’t have specified this kind of redirect url in google side (following your article). What can be wrong?

    1. Hi,
      There’s indeed no need to declare the redirect url in the console, but you need to declare your Bundle ID.
      Can you check if the Bundle ID you’ve set in the console and the one of your app match ?
      I think Google might compare those two to make sure you’re correctly calling it.

  3. hi.,
    thanks for ur article.
    I want to know that, whether develop google sign in using xamarin.forms or xamarin.android and xamarin.ios. did u use xamarin.auth as a shared library??. pls guide to move further.

    1. Hi
      Xamarin.Auth is available both on Xamarin.Forms and Xamarin Android/iOS. You can use it in a Shared Library or PCL (not yet in a .NET Standard lib as far as I know).
      Personally I used Xamarin.Android/Xamarin.iOS with a PCL, like I explained in the article.

  4. Hi, tanks for this article.

    I’v followed all the steps for android but when the user is authentificated into google, he’s never redirected to the app. If i set the redirectURI to com.ExempleApp:/oauth2redirect, the user is send to google.com in the browser and on completed is never called.

    1. Hi Tristan,
      I think your package name and your redirect URI don’t exactly match.
      Could you check your AndroidManifest.xml file and make sure the package name is the one that you expect? (same name, all lowercase)

      I remember having trouble with a package name containing a dash symbol. Visual Studio displayed the dash correctly in the Properties window but it was converted to an underscore symbol in the manifest file.
      It resulted in a non-working redirect URI (I used a dash, but the app expected an underscore).

  5. Timothé
    Thank you for this great tutorial
    One more thing .. I would like to integrate this with my REST service which store users in MySQL DB and uses PHP, could you help with that and how will be the flow of the code

Leave a Reply

Your email address will not be published. Required fields are marked *