question

larissa avatar image
larissa asked

Authentication via Google Play Games

Are there any plans to support Google Play Games for Login and Linking?

The available methods LoginWithGoogleAccount and LinkGoogleAccount seem to work with the Google-Account rather than the Play-Games-Account and thus force us to request profile-scope from the user.

However switching to (or additionally supporting) GPGS-Authentication would make much more sense:

- The need to ask for profile-access permission is not self-evident for the players and we would rather avoid it

- Using Play Games (silent-)SignIn and avoiding the request of any unneeded Scopes is listed as 'Required' by Google on their GPGS-checklist ( https://developers.google.com/games/services/checklist - Items 1.2 and 1.1). Quote:

Required: Minimum requirements that must be implemented for your game to be considered Google Play games services-compatible

- When Google reviewed our game for a potential feature, they told us that this is one of their mandatory requirements for considering a feature

- Play Games SignIn is really the state of the art method used by most bigger mobile games nowadays and it just makes sense for a games backend like PlayFab to support it :)

apisAuthenticationandroid
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

brendan avatar image
brendan answered

[Edited, to provide all the info on Google's Silent Login, since that topic has come back up again]

Actually, GPG sign-in works in PlayFab. Can you try following this tutorial, and let us know if you run into any issues? https://api.playfab.com/docs/tutorials/landing-players/sign-in-with-google

[Silent Login topic]

"Silent login" in Google's write-up specifically refers to a silent login on the client device only. It's not usable for server authentication of players.

For authentication of the player on a backend server, you have to use either a Server Auth Token or an ID Token. Google does not provide another way for us to validate the user with Google.

And since this has come up in some of the threads, to be clear, this is not a Google+ sign in. It's simply the user's Google account.

Now, the issue folks have been concerned about is the permission popup that shows up, apparently since an OS change by Google. That permission popup shows up because RequestServerAuthCode() (and please note that our example is in C# - the examples and links above are to the Java code, so I don't want anyone getting confused on that) requires either the profile or the email. Since email will always result in a permissions pop-up, we used profile. Therefore, the assumption (since the code hasn't changed) is that Google updated the OS to pop a permissions box on that, as well.

Ultimately, this is entirely on the client - it has nothing to do with any backend service code. It's just that you have to have a token for us to be able to authenticate the player. Our sample code shows getting the token by requesting it and using the Profile permission. Interestingly, Google's own write-up says:

"Note: The only Google sign-in option that can be requested which only uses games profile is requestServerAuthCode(). All others, such as requestIDToken() require the user to consent to additional information being shared."

The implication being that the call we're making in our client code sample (RequestServerAuthCode) is specifically what they say we should do, in order to have a clean sign-in experience. The fact that it does when the profile is requested, as well as the requirement that the client request the profile in order to have a token that can be used for server-side validation isn't something we can control - that's entirely owned by Google.

What I would recommend is reviewing the GPGS documentation, here: https://github.com/playgameservices/play-games-plugin-for-unity#configuration--initialization-play-game-services

That's specifically what we used to create the sample client code we provide (though we didn't use their example, since it uses RequestEmail, given that it was guaranteed to force a pop-up).

Our SDK team has additionally researched the Google SDKs again, to see if they can find any "hidden" way to bypass this requirement. The conclusion is that the option is simply not available in Google's operating system, but we welcome any suggestions from developers, if they feel they've found an effective workaround.

13 comments
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

larissa avatar image larissa commented ·

(Replying again since I think my comment below maybe got lost somehow? :) )

0 Likes 0 ·
brendan avatar image brendan ♦♦ larissa commented ·

Sorry to hear it - we'll look into why we weren't notified that there'd been a reply. Meanwhile, can you explain what you mean by a "pure games login with no additional scopes"? You do need to specify the "profile" scope, at a minimum.

0 Likes 0 ·
larissa avatar image larissa brendan ♦♦ commented ·

(That is most likely because I only added the @ in an edit? Probably nothing to worry about :))

"No additional scopes" means using only

DEFAULT_GAMES_SIGN_IN

which is the normal way games signin is supposed to be done - see https://developers.google.com/games/services/checklist

Specifically, this is the code I used:

GoogleSignInOptions.Builder builder = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_GAMES_SIGN_IN).requestServerAuthCode(serverClientId);

GoogleSignInOptions gso = builder.build();

GoogleSignInClient signInClient = com.google.android.gms.auth.api.signin.GoogleSignIn.getClient(ctx,
        gso);

As I already wrote below, once I add the line

builder.requestProfile();
it starts working.

In my comment I've also already explained in all details, when and how this particular line causes a consent-screen and how this is related to PlayFab using the google-account rather than the gpgs-account internally.

Please let me know if there's any other info you need to reproduce/get a clear picture of the problem.

0 Likes 0 ·
Show more comments
aurecasstudios avatar image aurecasstudios commented ·

Is there any news on this topic so far?

I still can't get the silent login to work.

0 Likes 0 ·
brendan avatar image brendan ♦♦ aurecasstudios commented ·

This was covered in the Silent Login for Google suggestion (https://community.playfab.com/idea/19317/silent-login-for-google-play-games-services-on-and.html), but I'll edit the above answer to provide all that info here, as well.

0 Likes 0 ·
larissa avatar image
larissa answered

Heya @Brendan, thanks for the speedy reply :) We don't actually use Unity, but what happens when I use a serverAuthCode that was obtained from pure games login with no additional scopes, is that

LoginWithGoogleAccount will return a GoogleOAuthNoIdTokenIncludedInResponse Error (1275). If I add a single line to my GoogleSignInOptions

builder.requestProfile();

it starts working.

Note that the Tutorial you linked also seems to request profile scope (and will thus display a consent screen!)

PlayGamesClientConfiguration config = new PlayGamesClientConfiguration.Builder()
.AddOauthScope("profile")
.RequestServerAuthCode(false)
.Build();

It may seem like it doesn't require profile-permission, since the consent-screen only shows once per google-account and subsequent calls won't trigger it anymore.

So it seems somehow playfab is somewhere still using the google-profile rather than the gpg-player only. There are different IDs for it, for example

GPGGS PLAYER

CopperJuggler69593

PlayerID: a_1794613571623907888

GOOGLE USER

dys daimonia

ID: 109880598525953451951

I've checked and what the game-manager displays (see screen of my test-account) is the google-id

(GoogleSignInAccount.getId()) rather than the gpgs-player-id (Player.getPlayerId()), as well as the given name and family name - which is also part of the google-profile rather than gpg-profile and obviously not available without user-permission ;)


googleuser.png (30.4 KiB)
profileconsent.jpg (82.9 KiB)
10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

JayZuo avatar image
JayZuo answered

PlayFab supports login/link with Google Play Games Services account now. Please see LoginWithGooglePlayGamesServices & LinkGooglePlayGamesServicesAccount.

10 |1200

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

Write an Answer

Hint: Notify or tag a user in this post by typing @username.

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.