Idea

aurecasstudios avatar image
aurecasstudios suggested

Silent Login for Google Play Games Services on Android

Google's new API introduced "Silent Sign-In". Basically, it allows Google Play Games Services (GPGS) login without any user interaction. The condition for this to work is that you cannot ask for any further user information other then the ServerAuthCode, or else a pop-up will appear asking the user for permission.

This is a feature we would really like to use in your games, we would be able to have the great majority of users logged in to GPGS. In our older games, that require user interaction, we only get around 30-40% players logged in.

I also believe silent logins will be a tendency in new games, as google recomends it as a good practice:
"The most common use case for authentication is to use the DEFAULT_GAMES_SIGN_IN option. This option enables your game to use the games profile for the user. Since a user's games profile only contains a gamer tag that your game can display like a name, and an avatar for a image, the actual identity of the user is protected. This eliminates the need for the user to consent to sharing any additional personal information reducing the friction between the user and your game.

Note: The only Google sign-in option that can be requested which only uses games profile is requestServerAuthCode(). All others, such as requestIDToken() require the user to consent to additional information being shared. This also has the effect of preventing users from having a zero-tap sign-in experience.

Since there can only be one user account signed in at a time, it's good practice to attempt a silent sign-in when the activity is resuming. This will have the effect of automatically signing in the user if it is valid to do so"

Source: https://developers.googleblog.com/2017/11/migrating-to-new-play-games-services.html"

General audience apps should implement silent sign-in to help players get quickly authenticated and authorized to use the full set of features provided by the Google Play games services. If silent sign-in fails, your app should prompt players to sign in interactively."

"Remove any unneeded scopes from your GoogleSignInOptions construction along with any APIs you no longer use.

For example, you should not request G+ scopes when creating your Google sign-in client. This will avoid requiring new users to unnecessarily (1) create G+ accounts, and (2) review additional consent screens."

Source: https://developers.google.com/games/services/checklist

The problem here is, PlayFab requires this ID Token, which cannot be retrieved while using this new silent sign-in. Google now keeps a separate ID for GPGS and for Google Plus. To protect user privacy, games only receive the GPGS ID in the silent sign-in. Can't PlayFab authenticate the user using only the provided GPGS ID, instead of requiring the user's Google Plus profile? Thus, removing the need to ask for user consent in sharing his Google Plus profile information.

PS: We are using Unity5, but I believe this matter concerns all game engines.

apisunity3dsdksandroidPartner Add-ons
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

9 Comments

·
Anh Le avatar image
Anh Le commented

+1 to this

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Justin avatar image
Justin commented

Why has there been no reply to this? It seems pretty important.

3 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan avatar image brendan commented ·

Because it's a Feature Request, not a Question. Feature Requests are evaluated during our sprint planning meetings, to make sure we're effectively evaluating priorities based upon user input. But the process is the same, regardless. If something is requested, it's tracked. If many unique developers need it, it will have a higher priority. But until the feature in question has been implemented, there's no real purpose in responding to a Feature Request, as the answer is just going to be "we've heard your input, and we're tracking on this".

0 Likes 0 ·
Justin avatar image Justin brendan commented ·

Ok. Thanks for the explanation. I didn't mean for my comment to sound subversive.

0 Likes 0 ·
wjurica avatar image wjurica brendan commented ·

Many users need this because it effects all Android developers. This isn't a feature request, it's a feature necessity.

0 Likes 0 ·
drallcom3 avatar image
drallcom3 commented

Is this in already? It's kind of a big deal on mobile. The current confirmation popup is a retention killer.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Andy avatar image
Andy commented

We do support serverAuthCode today. Are folks running into issues getting it to work silently? Can you post how you're building your ClientConfiguration?

8 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Justin avatar image Justin commented ·

The current Google call is actually loging into Google+ also which is not required to access GPGS now.. This calls the Login to Google with scope panel. So, this is not a silent login.

From the OP, "The problem here is, PlayFab requires this ID Token, which cannot be retrieved while using this new silent sign-in. Google now keeps a separate ID for GPGS and for Google Plus. To protect user privacy, games only receive the GPGS ID in the silent sign-in. Can't PlayFab authenticate the user using only the provided GPGS ID, instead of requiring the user's Google Plus profile? Thus, removing the need to ask for user consent in sharing his Google Plus profile information."

This question also goes over the issue. PlayFab Question: authentication-via-google-play-games

1 Like 1 ·
Andy avatar image Andy ♦♦ Justin commented ·

Okay, I understand. I agree the current behavior is not what we want. I've ensured that we have a backlog item tracking this.

2 Likes 2 ·
Justin avatar image Justin commented ·

@Brendan, @Andy, @JayZuo

This may affect the current Login/Link Google with PlayFab since it uses Google+ to access GPGS.

The intermittent failures starting as early as January 28, 2019!! Yikes, that is really concerning for our Beta. As if Google Play Auth doesn't have enough issues. Ugh.

https://developers.google.com/identity/sign-in/web/quick-migration-guide

1 Like 1 ·
brendan avatar image brendan Justin commented ·

Thanks, we do have the updated Google auth as a priority for this quarter, though the fact that they'll be introducing this as a breaking change early is indeed a concern. We've passed this info on to the engineering team to make sure the priority is clear.

3 Likes 3 ·
Justin avatar image Justin brendan commented ·

Just got this reminder from Google. Including it for reference.

0 Likes 0 ·
Show more comments
nexttechllc avatar image
nexttechllc commented

@brendan

I hope this gets resolved soon. Now i can't login to my game using google play games haven't changed that part of the code.

1 comment
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Justin avatar image Justin commented ·

If you haven't already, you should be tracking GPGS at play-games-plugin-for-unity

Also, see if any of your login issues match any of the issues here playgameservices issues

The developer is very active here and the current version is: v0.9.61 as of Feb.19, 2019

0 Likes 0 ·
nexttechphilly avatar image
nexttechphilly commented

@Brendan is there anything that we can view to track and follow the progress?

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan avatar image
brendan commented

Since this hasn't bubbled up to the feature team yet, I did some digging on this, and I think we need to clarify this concept somewhat, so that we're all on the same page.

"Silent login" in Google's write-up specifically refers to a silent login on the client device only. It's not usable for server authentication of players.

For authentication of the player on a backend server, you have to use either a Server Auth Token or an ID Token. Google does not provide another way for us to validate the user with Google.

And since this has come up in some of the threads, to be clear, this is not a Google+ sign in. It's simply the user's Google account.

Now, the issue folks have been concerned about is the permission popup that shows up, apparently since an OS change by Google. That permission popup shows up because RequestServerAuthCode() (and please note that our example is in C# - the examples and links above are to the Java code, so I don't want anyone getting confused on that) requires either the profile or the email. Since email will always result in a permissions pop-up, we used profile. Therefore, the assumption (since the code hasn't changed) is that Google updated the OS to pop a permissions box on that, as well.

Ultimately, this is entirely on the client - it has nothing to do with any backend service code. It's just that you have to have a token for us to be able to authenticate the player. Our sample code shows getting the token by requesting it and using the Profile permission. Interestingly, Google's own write-up says:

"Note: The only Google sign-in option that can be requested which only uses games profile is requestServerAuthCode(). All others, such as requestIDToken() require the user to consent to additional information being shared."

The implication being that the call we're making in our client code sample (RequestServerAuthCode) is specifically what they say we should do, in order to have a clean sign-in experience. The fact that it does when the profile is requested, as well as the requirement that the client request the profile in order to have a token that can be used for server-side validation isn't something we can control - that's entirely owned by Google.

What I would recommend is reviewing the GPGS documentation, here: https://github.com/playgameservices/play-games-plugin-for-unity#configuration--initialization-play-game-services

That's specifically what we used to create the sample client code we provide (though we didn't use their example, since it uses RequestEmail, given that it was guaranteed to force a pop-up).

And all that said, I have spoken with the head of the SDK team, to ask that they do some additional testing, to see if the update that started causing this issue may have also introduced a way to bypass it that simply isn't documented.

13 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

drallcom3 avatar image drallcom3 commented ·

Just as a note, the GPG SDK has it's fair share of bugs and lacks documentation. It's quite surprising that a big company like Google cannot provide a decent SDK for their most important group of apps.

Good to know that on Playfab's side it's working as intended.

1 Like 1 ·
Justin avatar image Justin drallcom3 commented ·

@drallcom3

I totally agree. Even though the contributors seem to be very responsive and active on Github. There is no mention of how many devs are actually assigned to maintaining and upgrading the features. I wish they would at least build out the error section so devs can implement thier own contingencies. It becomes a game of whack-a-mole when debugging. I wonder why there is no dedicated "team" for Google's own services? It seems like GPG is used by just about everyone developing Android Games in some way, if even just for Authentication.

0 Likes 0 ·
aurecasstudios avatar image aurecasstudios commented ·

Is there any news on this topic?

It seems to have been made clear that many developers would make good use of silent login.

0 Likes 0 ·
brendan avatar image brendan aurecasstudios commented ·

The response you just commented on is specifically the complete info on this topic. In short, "silent login" is only for client-to-Google sign-in. It cannot be used for service-to-service sign in. The only options Google provides for service-to-service sign in require the Server Auth Token or the ID Token. All queries to retrieve those, which are made from the client to Google, require requesting either the profile or the email.

0 Likes 0 ·
aurecasstudios avatar image aurecasstudios commented ·

Thanks for your quick response. I read all answers including this one.

I manage to retrieve a server auth token without the user's profile, which could be used for service-to-service authentication.

The issue here is that PlayFab keeps requiring the user's full profile. When I send only the auth token without the profile permission I get a "GoogleOAuthNoIdTokenIncludedInResponse" error from PlayFab.

0 Likes 0 ·
brendan avatar image brendan aurecasstudios commented ·

That's the point of what I'm saying above. The only API calls Google makes available for service-to-service authentication require the user profile permission. The client-based API calls are not available to us for this. If you believe you're seeing a way to do a s2s call to authenticate the player without the profile permission, feel free to provide specifics.

0 Likes 0 ·
brendan avatar image brendan brendan commented ·

Thanks, all - this is a very helpful discussion and clarifies what you're looking for. @larissa is correct - the point of LoginWithGoogleAccount is that it's getting the extra profile information that you can only get from their OAuth ID token (which we can extract from the ServerAuthCode, but only if you're using the profile permission). And yes, the issue is that Google updated to pop the permission dialogue for the profile permission since this was made part of the service. It was trying to align this new request to the existing functionality that kept tripping us up (well, that and some of the client-only API calls Google added that muddied the waters a bit).

And while we clearly cannot change the behavior of LoginWithGoogleAccount (since that would technically be a breaking change), what's being asked for is a LoginWithGoogleID, which takes a no-profile ServerAuthCode - which means that literally the only thing we can get from it is that player ID. I'll add that specific item as a backlog request.

2 Likes 2 ·
Show more comments
Bastian Krones avatar image Bastian Krones commented ·

Hi Brendan,
I am absolutely new to this topic and wonder if there is no way doing the sieltn sign in,
since i tested Google Firebase Auth and Google Play Games which worked like a breeze.
https://firebase.google.com/docs/auth/unity/play-games


Is this authentication somehow different to the PlayFab version?
Is the Firebase solution only possible since it is from Google itself and they have access to
critical data which isn't available for external companies?


Kind regards

0 Likes 0 ·
antti-tuppurainen2 avatar image
antti-tuppurainen2 commented

Hi, we ran into this issue and it would be important for us to have it solved as well. The consent popups are quite intrusive and rightfully scary as the application is effectively requesting access to personally identifiable information.

The workaround using a custom service to verify and hash+salt the user id suffers from lesser security as such a custom token cannot be automatically revoked when the Google account details change, and is thus vulnerable to a type of replay attack.

If the ServerAuthCode exchange were implemented on PlayFab's side as part of the hypothetical "LoginWithGoogleID" endpoint, this replay problem would disappear.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Lukasz Balukin avatar image
Lukasz Balukin commented

Hey,

Something related to this problem was added recently to the SDK - LoginWithGooglePlayGamesServices

https://github.com/PlayFab/CSharpSDK/blame/679cf4fee8aefacaeebd7c2cb72bb9bc9ea9b8df/PlayFabSDK/source/PlayFabClientInstanceAPI.cs#L2726

But it's not really described in the tutorial because the page mentions GPG sign in the title but actual content of the article describe Google Account sign in (LoginWithGoogleAccount).

Does anyone here know if this new additiion can be used to skip permission prompt and execute silent login?

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write a Comment

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Your Opinion Counts

Share your great idea, or help out by voting for other people's ideas.