0

I want to use Google Play Services so that I can access Google Saved Games API which allows me to seamlessly obtain authorisation tokens using Games.getGamesServerAuthCode(...) for secure server authentication on my server back end. However this function is only available through Google Play Services r29 which requires at least Android 6.0. On the other hand my actual game only requires at least Android 2.3.1.

I'm a little concerned that according to this website Android 6.0 is only available on around 7.5% of Android devices, which kind of reduces my impact as of right now in the market.

My question is - what are the alternative approaches (API's) to server authentication, especially given that Android recommend using Games.getGamesServerAuthCode(...) for security reasons?

What I've found so far

This website gives a more encouraging estimate. I suppose as time goes on the earlier Android versions will diminish and 6.0 will become more popular...

Adding more to the confusion, I just found out that the Games.getGamesServerAuthCode(...) approach is now deprecated, even though it was relatively recently recommended as best practice by Google.

Maybe Google Sign-In for Android could be of help. There's also this Google page on the Google Identity Platform, which states:

Software can obtain OAuth 2.0 Access tokens in a variety of ways, depending on the platform where the code is running. For details, see Using OAuth 2.0 to Access Google APIs and Google Play Services Authorization.

This could possibly solve the deprecation problem, but still requires Android 6.0+...

Tentative solution

Following the advice in noogui's answer below, I currently seem to be making progress. Using google-play-services_lib (r28) allows me to use Android 2.3.1. This approach also seems to solve the deprecation warnings.

Ok, noogui's answer above put me in the right direction. However, this made me think I had to sign in twice - once for Google Play Saved Games - and once again for GoogleSignInApi's due to the following:

Auth.GoogleSignInApi.getSignInResultFromIntent(...);

A bit more digging lead me to maclir's self-answered question in this post, from which I could clearly see how to obtain an authentication token using GoogleAuthUtil.getToken(...) by only logging into Google Play Services, without having to invoke a second log via Auth.GoogleSignInApi.getSignInResultFromIntent(...). This way seems to work fine...

... But this official Android blog post declares that method to be deprecated due to security issues, but does offer a solution using GoogleSignInOptions.Builder.requestIdToken(...), which will presumably not require me to use Auth.GoogleSignInApi.getSignInResultFromIntent(...), as was believed by me from noogui's answer.

I am going to test this next. Hopefully I will be able to get the token from GoogleSignInOptions.Builder.requestIdToken(...) by just signing into Google Saved Games API, and not have to login in to GoogleSignInAPI via Auth.GoogleSignInApi.getSignInResultFromIntent(...) as well...

Community
  • 1
  • 1

1 Answers1

0

If you use Google Sign-In with an app or site that communicates with a backend server, you might need to identify the currently signed-in user on the server. To do so securely, after a user successfully signs in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity of the ID token and retrieve the user's ID from the sub claim of the ID token. You can use user IDs transmitted in this way to safely identity the currently signed-in user on the backend.

Send the ID token to your server

After a user successfully signs in, get the user's ID token:

GoogleSignInResult result = Auth.GoogleSignInApi.getSignInResultFromIntent(data);
if (result.isSuccess()) {
    GoogleSignInAccount acct = result.getSignInAccount();
    String idToken = acct.getIdToken();
    mIdTokenTextView.setText("ID Token: " + idToken);
    // TODO(user): send token to server and validate server-side
} else {
    mIdTokenTextView.setText("ID Token: null");
}

Full code implementation is found in the Authenticate with a Backend Server guide.

ReyAnthonyRenacia
  • 17,219
  • 5
  • 37
  • 56
  • Thanks, but this doesn't help me with obtaining an authorization token which I can then send to my server to be verified. –  Oct 12 '16 at 15:29
  • Thanks, does this approach happen silently? I'm using Google Saved Games API to deal with leaderboard and achievements, so it would be nice not to have to sign in twice, e.g. once for saved games API and once for the GoogleSignInApi API. I'll look into it. –  Oct 12 '16 at 19:27
  • 1
    That and other Sign-In concerns are addressed in this official guide [Implementing Sign-in in Android](https://developers.google.com/games/services/training/signin). – ReyAnthonyRenacia Oct 12 '16 at 19:32
  • I can't find where my problem is addressed in that link you give. How can i get an auth token from Google Save Games API? I want to avoid signing in twice via diff APIs. There is a deprecated server auth token function under r29 google play services, but this requires at least Android 6 and my target is Android 2.3.1. Plus that particular function is deprecated already !! I could use GoogleAuthUtil as in this link ... http://stackoverflow.com/questions/17730365/oauth-token-with-google-play-game-services ... but Google say this method is unsafe. I can't seem to win :-( ... i will keep trying. –  Oct 15 '16 at 23:17
  • See my answer here: http://stackoverflow.com/questions/40069681/should-i-use-googleauthutil-gettoken-or-not –  Oct 17 '16 at 13:34