question

max avatar image
max asked

Authenticate via Google - ServerAuthCode Issues

We're having multiple issue/questions when trying to use Google SignIn with the new ServerAuthCode method.

1) Under Addons->Google in the Game Manager one should put their ClientId and ClientSecret. So under the Google Developer Console, is that ClientSecret for iOS the "iOS Key" that is displayed under API-Keys?

2) Is it actually possible to use Google SignIn with ServerAuthCode with both iOS and Android? In the Game Manager one can only put one ClientID and one Client Secret under Addons->Google. According to Google iOS should have a different ClientId then Android.

3) When trying to log in with Google ServerAuthCode under iOS with the C++ SDK we're getting this error. (Title ID D73D, in case you want to have a look)

(const PlayFab::PlayFabError) $0 = {
HttpCode = 400
HttpStatus = "BadRequest"
ErrorCode = 1026
ErrorName = "InvalidGoogleToken"
ErrorMessage = "Google API error code: invalid_client details: Unauthorized"
ErrorDetails = size=0 {}}

But this might simply not work because iOS with ServerAuthCode is not supported at all.

4) This ServerAuthCode is a one-time only use code, right? We haven't found a way yet to request a new serverAuthCode from Google yet neither in the iOS nor the Android SDK. Actually the serverAuthCode in the Google iOS SDK is only present after the login-screen was displayed. If the user logs in at a later time, with a new session, Google SignIn is successful but the serverAuthCode is simply nil.

The case when we need multiple serverAuthCodes is:

a) User tries to link his GoogleAccount with his current PlayFabAccount

b) We realize that this GoogleAccount is already linked to an account and get an error, serverAuthCode is used now.

c) Now we want to temporarily login to this PlayFab Account, linked with Google, to show the player this account's data and let the player decide which account he wants to use.

d) If player decides to use this Google-linked account, we log back into the device-linked account and unlink the device

e) We log back into the Google-Linked account and link the device again. This is now the main account.

This process needs a total of 3 serverAuthCodes, if I'm not completely off ;)

With the old AccessTokens this was easily possible, since they could be reused.

The problem is that using AccessTokens on Android requires an additional consent-confirmation by the user in Google Play Games Services, which we're trying to avoid.

5) In case all this won't work, can we still safely use the old way of AccessTokens? Or will it soon be removed?

10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

2 Answers

·
1807605288 avatar image
1807605288 answered

We have recently completed a brand new guide which will answer some of your questions:

https://api.playfab.com/docs/tutorials/landing-players/google-html5

However, I'll go through your questions as well:

1. For our guide, we generated a "Web Application" key, and used the elements labeled "Client ID" and "Client secret" in the "Web Application" key. PlayFab is a web-service, and so we need web keys.

Using Google Login on an i-device through PlayFab, is untested.

2. Truthfully, I don't know. Our implementation of the new Google OAuth2 may be incomplete. We've been actively investigating all the Google sign-in mechanisms over the last month, and not everything works as expected.

I know that specific Google created plugins outright don't support anything but Android:

https://community.playfab.com/questions/11995/google-sign-on-support-on-ios.html

I suspect that it's a mix of everything. We support web applications, as we just finished a test pass on that for the guide above. I know we support Android if you retrieve the proper set of credentials from Google (We are actively working on an example/guide for this case, they provide multiple credentials in different ways, none of which are clearly documented, and only 1 works correctly for us). We also support using the older token mechanism (see the forum post above), which is multi-platform, but Google may remove that mechanism at any time. There's lots of other combinations we haven't tested and resolved yet. It's a very big task.

3. I suspect you're using the old-style token. Refer to the latter parts of my #2 answer. If you put that token into the obsolete AccessToken parameter of our request (you'll have to manually re-add it to your sdk), it might work.

4. I don't know. Google has deprecated that system, so it's likely they're slowly tearing it apart. It will get harder and harder to use until it stops working entirely. The documentation for it is very poor and out-of date for the same reason. For us, we won't remove or change the obsolete AccessToken parameter, but as soon as Google disables it, then it's not going to work anymore. To answer your question: I don't know how long it will work, since that's not under our control.

You can generally re-bind an account to the current login, without the back-and-forth steps you describe.

https://api.playfab.com/documentation/client/method/LinkGoogleAccount

The "ForceLink" parameter will allow you to automatically un-link a google credential from the old account, and re-bind it to the current new account. Otherwise, you have a lot of the right ideas. Please consult our best practices guide for more specifics:

https://api.playfab.com/docs/tutorials/landing-players/best-login

7 comments
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

max avatar image max commented ·

Thanks for the detailed insights. I've also tested a couple of more things in the meantime, I'll address them at the single bullets:

1) Okay cool, then it will probably work as in the guide for Android with ServerAuthCode.

We did lots of testing on iOS and I can assure you that it works with the old token login method ;) For the new login type: Maybe one could use the same web application id for iOS and Android, but I think Google recommends using a different one for iOS and Android.

2) For now, we're just hoping the old token mechanism will stay for a while. We're not doing a live-release in the next two months - maybe we're able to investigate something until then.

Google Play Game Services for example is no longer supported on iOS, but in our testing it works fine to link an account with GPGS (deprecated token) and then on iOS login with normal Google Sign In (again deprecated token).

[Splitting message in two....character limit exceeded....]

0 Likes 0 ·
max avatar image max commented ·

[Part 2 of 3]

3) I did not use the old token in this test, but I did not create a brand new web application key. tried to get the secret key of an existing one - so maybe I had the wrong one. There's a web app secret key in the Google Developer API and there's also one displayed in the Firebase Console. I tested both, but maybe you can only see it once - when you create it new.

4) I have to absolutely agree that the documentation is terrible. I took me way too long to even get the token-style way to work properly. The worst is that I have to request the users email for it (which I don't even want) and then give that email to some weird google auth code function whose parameters are just name "xxxOne", "xxxTwo", etc ;)

[Splitting even more....]

0 Likes 0 ·
max avatar image max commented ·

[Part 3 of 3]

The force link seems very cool, but it doesn't solve the issue of being able to show the player some data from two accounts. When I asked Brendan about this issue some time ago, we agreed that the account switching that I'm doing now is the only way to be able to show the player some data of the account that he might be switching to. But even without showing info, we need to know if there's another account already linked and then let the player decide whether to switch or keep the current account. All this doesn't seem to work at all with the new Google login mechanics, right?

0 Likes 0 ·
1807605288 avatar image 1807605288 ♦ commented ·

Linking:

https://api.playfab.com/documentation/client/method/GetUserData

There is a PlayFabId parameter that lets you get user data from player B, if you are logged in as player A. The data on player B must be public

https://api.playfab.com/documentation/Client/datatype/PlayFab.Client.Models/PlayFab.Client.Models.UserDataPermission

So, if you craft your data storage correctly, you can save some public userdata for all players, which is visible to everybody (keep this in mind for security), but can be used in this example. And you can show info that will inform a user if they want to override the link, without logging-in back and forth.

Google:

I apologize, I'm not an expert on the specifics, even in our own code. Looking through some other forum posts, I suspect that you're right, several other people are having similar problems getting LinkGoogleAccount to work with the new credentials as well. The team members who are more familiar with these APIs have been informed of the issues, and are working on it.

0 Likes 0 ·
max avatar image max 1807605288 ♦ commented ·

Thanks, I know how to use GetUserData ;), but it requires the PlayFabId of a user which I do not know when I have not logged in as this user yet.

Imagine a user is using a new Android device, but has also played on their old phone. Now they login on the new phone via Device, and link their device. Later on they turn on GPGS and want to login via Google. Now the player has already a PlayFab account linked to said Google account, but the Client has no idea about the PlayFab ID of this account.

This is way I implemented the login-dance previously, this way you can gain all the data needed and let your player make a meaningful choice which account to use.

Do you know of a way to use GetUserData without "wasting" the ServerAuthCode that google gives us?

0 Likes 0 ·
1807605288 avatar image 1807605288 ♦ max commented ·

There's a way to do this with Facebook or Steam:
https://api.playfab.com/documentation/client/method/GetPlayFabIDsFromFacebookIDs
https://api.playfab.com/documentation/client/method/GetPlayFabIDsFromSteamIDs

but you're right, a similar option does not exist for Google yet. I'll add an additional note for that engineer on our side. Thanks

0 Likes 0 ·
Show more comments
1807605288 avatar image
1807605288 answered

I likely won't have an answer for you until next week.

In the short term, you can re-activate the deprecated login mechanism, which still works for now:

https://api.playfab.com/documentation/client/method/LoginWithGoogleAccount?obsolete=1

ServerAuthCode is the new OAuth2 method for logging into Google. AccessToken is the old token that was deprecated by Google. If you can manually restore the AccessToken property to your request, and populate that token, it should work.

THIS IS NOT A LONG TERM SOLUTION

Please check back here next week for a real solution.

1 comment
10 |1200
Toggle Comment visibility. Current Visibility: Viewable by all users

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

max avatar image max commented ·

Hey Paul, I just wanted to ask if you have an answers to my questions in the meantime ;)

0 Likes 0 ·

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.