I am interested in starting a cross platform web application (web + mobile) that is supposed to have its own loyal user base (as any good application).
The backend is powered by the Yii2 framework (PHP) and exposes several REST endpoints that require authentication by the user (oAuth2 access token). The user is able to obtain an access token by calling a dedicated "login" API endpoint, which is the easy part and not related to this question.
My application's web version also allows users to login through a external SSO (e.g. Google+) which causes the user to be automatically created in the internal user database also (plus connected to the external Google ID, so subsequent SSO requests by the same user cause the same "internal" user to be automatically logged in).
This works fine for the web + REST API pair, however, when we bring Android to the picture things start to get complicated.
The Android application is able to provide to the user the option to login through his Google+ profile through the standard Android SDK and we are able to retrieve his Google identity this way. However, the problem is - how to safely exchange that Google identity the Android app has, for an access token issued by the REST API, without asking the user for his username and password in our internal database (the password is autogenerated during the first SSO login, so the end user never knows his password, he only uses SSO to login on both the web and mobile platform). The keyword here is "safely" because if we just trust that the Android app correctly authenticated the user and somehow "whitelist" the communication between the Android app and the REST endpoints (e.g. through a "service access token" that only the Android app knows), a potential hacker can reverse engineer or sniff the communication between the two and can call the REST endpoints directly, identifying himself using the same trusted access token. In effect, getting an access token for any random user.
