I am trying to follow instructions here:
Verifying Back-End Calls from Android Apps
I'm expanding on the question I asked here:
identifying which android app is making contact with my appengine app
all was going well in my test environment. I had a debug.keystore that my app was using in eclipse, and I even received tokens from my calls to GoogleAuthUtil.getToken(). Then I copied my code to the actual project that it will be used in. I got the keystore (I had saved it from previous publishing on google play) and used it to create a new client ID on the Google APIs Console.
Then I use eclipse to export my project, but after using the right keystore and the associated ID, I am not getting tokens.
Meanwhile I've been trying different things. I had an ID that I made for my app engine app. I used that in the android app and I was given a token. I don't know weather or not that particular token would be cleared when I checked it on my app engine site (I suspect not) but I got a token from it.
I'm kinda assuming that the ID that I'm supposed to use with my android call to GoogleAuthUtil.getToken() is supposed to be from the 'Client ID for installed applications' section (of the Google API page). Is this not so? Only there can you set the application type to 'Android' and the package name to match your application... right?
I assume you're specifying a client_id using the format:
audience:server:client_id:$client_id
This client_id, as the format above tries to hint, is for your home server, in this case the AppEngine app's client_id (a web application client_id). It should verify nicely in AppEngine if you configure your AppEngine app properly.
Again, your Android app asks for a token and names your AppEngine App. You don't need to name your Android app's client_id in the request because the Android platform can recognize your app based on the package name and certificate hash you computed using the keystore tool.
Related
I'm trying to create a new OAuth Client ID in Google cloud platform and I'm getting this message all the time but:
I don't have this fingerprint used by this or another project
The oauth list of IDs is empty
I only have that JSON translations API, apart from that it's empty, not sure what to change.
I have Firebase with Facebook/Gmail/Apple/email oauth for the login and I'd need this API for this: https://www.syncfusion.com/kb/12116/how-to-add-google-calendar-events-to-the-flutter-event-calendar-sfcalendar
It seems there is already an android app using the same package name which you are trying to use.
You can try to validate the same by trying a different package once and see if you are able to complete your process without the error.
I have one query regarding usage of client Id in Google Developers console.
For one project, someone had created one clientId for using Google fit API's for storing fitness data. And I don't have the credentials for account used for creating the Client-id. Also I'm not able to find the client-id anywhere in code.
Now I want to add Google Sign-in using "AppAuth for Android". For which I need to add clientId and redirectUri in code.
My question is, can I create new clientId and redirectUri with any other account using same SHA1 fingerprint and package name? or Do I have to use the same existing client-id? (which doesn't seem to be a possible way)
Edit1:
As #iainmcgin mentioned I tried to create one using the same SHA-1 and package name, but getting below error.
The fingerprint that you specified is already being used by an Android OAuth2 client ID in this project or another project.
Google engineer on the Google Identity Platform team here - we enforce a 1:1 mapping between client IDs and package name + certificate hash, so you can't create another client ID. You'll need to regain access to the project that defined the original client ID; if you are not able to do that, contact me at iainmcgin#google.com with the details of your app and I'll try and put you in touch with people that can verify your ownership of the app and either delete the original client, or give you access to the original project, whichever turns out to be more appropriate.
My android app is backed by an App-Engine server. All good. Now I need to have a dev/staging server that I can use for testing. So I go with the obvious: create two App-Engine projects: one for production, one for development. Part of the process as you know is to add credentials to each project. The problem I am running into is that I cannot register my android app with both projects because the app fingerprint can only be used in one project. So how do I add a dev project when I need credentials for, say, OAuth?
Use a different signing key for the two different versions of the app. You should be able to then register the app with each as it is the combination of the app package name and the signing key fingerprint which is used for the OAuth credentials.
So, I am building an Android module that will be provided to android apps as a Gradle dependency (or AAR package). Eg. Just like Mixpanel, Google Analytics provide their modules to interact with their services, we will be providing our service's SDK to interact easily with our service.
I'll refer our module as SDK and the app in which it is included as Parent App.
For enhances user experience, we would like to fetch an ID_TOKEN of the user using the Parent App. But fetching an ID_TOKEN involves creating a Client ID in cloud.google.com using the SHA1 signature of the build key and the name of the package.
When someone would be including our SDK in their apps (Parent App), we cannot know what the SHA1 signature of their build key is and what the name of their package is.
I was wondering how we can achieve this. Or a better question: Is it something that can be done only if we ask in OUR OWN apps?
Thanks for this.
I assume you are referring to ID token for a Google account (i.e. sign in with Google).
First of all, GoogleAuthUtil.getToken was the legacy way of retrieving an ID token, which won't give you the best user experience. Check out this blog post for details:
http://android-developers.blogspot.com/2016/05/improving-security-and-user-experience.html
You should use Auth.GOOGLE_SIGN_IN_API instead for ID token retrieval:
https://developers.google.com/identity/sign-in/android/backend-auth#send-the-id-token-to-your-server
Second, if it's "Parent App" that requests a token, the app's identity will be "Parent App" to Google's OAuth backend, and you are right, no way you can masquerade the token retrieval as your app. (And it doesn't make sense if you could masquerade as one single app. Assuming you distribute your SDK to 100 apps, user giving OAuth grant to app 1 should not make app 2 auto get the grant).
But as long as you:
Ask your SDK consumers to register with Google:
https://developers.google.com/identity/sign-in/android/start-integrating#get-config
Ask them to share with you their registered client ID for "Web
Application" type and you can help them generate a config file your
SDK is capable of reading.
In your Android SDK / module, you read the config file and use the client id when GoogleSignInOptions.Builder.requestIdToken(CLIENT_ID_FROM_CONFIG_FILE)
On your server, make sure to check ID token's 'audience' is one of
the registered client IDs.
Then it should work.
Hope it helps.
I have generated an app with AWS Mobile Hub. Google Login works fine in the start. But if I give the exactly same codes to the other developer it gives the error below. Or if I refactor the package name Google Login does not work anymore even with my own computer. (With iOS google-login works fine).
I have tried to follow all the instructions but no help. I have also changed the package name for OAuth 2.0 client ID for android (console.developers.google.com).
Error message:
Google failed. Unknown (Service: google-sign-in; Status Code: 503; Error code: 503; Request ID: google-sign-in) packageName Vs applicationID Android AWS Mobile Sign-in with
Here is one solution that did not work with me:
http://mobiledevelopmenttips.blogspot.fi/2016/02/packagename-vs-applicationid-android.html?showComment=1461311778234#c2030693740616382564
Jukka,
Assuming that no other Application ID or package names have changed from your project code, this error is expected with Google Sign-in when using your debug.keystore and sharing project code.
This error occurs when the Signing-certificate fingerprint (SHA-1) of the Client ID for Android from your console.developers.google.com project DOES NOT MATCH the fingerprint of the developers that signed the app. To reproduce your error, modify the Android Client ID SHA-1 fingerprint value in the google dev console and then attempt to sign-in from your current environment.
I would expect a similar error:
com.amazon.mysampleapp E/SignInActivity:User Sign-in failed for Google
: Unknown (Service: google-sign-in; Status Code: 503; Error Code: 503;
Request ID: google-sign-in)
Issue: Each development environment has a unique debug keystore used to sign an apk. Google Sign-in restricts access to only those apps signed by a known SHA-1 signing-certificate you provided when creating the Android Client ID. The other developer has a different fingerprint, signs the apk and fails because his/her fingerprint is not associated with an Android Client ID.
Solution: Create a new Android Client ID associated with your Google Developer Console project that contains the other developers fingerprint (you can have multiple Google Client IDs within a single Google Console Project).
Note: When enabling Google Sign-in feature in your Mobile Hub project, Mobile Hub actually creates an OpenID Connect provider (accounts.google.com) in IAM on your behalf.
Within the provider, Mobile Hub adds the Android Client Id you provided as an "Audience" to the provider. Still with me?
The Android Client ID you provided is not in your generated sample code and is only used to identify the signed app attempting to make API calls directly to Google.
So, to recap the solution:
Create a new Android Client ID (within Google Dev Console) with the other developers fingerprint following the steps outlined in the side panel help documentation within the Mobile Hub console.
Log into AWS IAM Console, select "Identity Providers" > "accounts.google.com" and ADD your newly generated Android Client ID as a new "Audience". If you forget/ignore this step, you'll get status code 400 NotAuthorizedException Incorrect token audience from Cognito when attempting to sign-in.
This will not be an issue with a production app.
When you prepare to release your app on the app store(s), follow Google's suggested steps to generate a NEW final client ID for your production app and then provide that client ID to IAM as an "Audience". Once you sign the apk and release it, all users have the same signed APK and will be able to authenticate via Google Sign-in. https://support.google.com/cloud/answer/6158849?hl=en#android
Finally it started to work when I did these four things:
Created new AWS Mobile Hub project
Created new Google Credentials project and used new ids for Mobile Hub project
Refactored package name in our real application to a new name (I don't mean refactoring from com.mysampleapp package name which had been refactored earlier but we had to decide new package path for our internal use)
e.g like this com.company.myapp -> com.company.myapp2
I put back Guest Login functionality in AWS Mobile Hub
This was the last step to make it work for me but maybe this is not crucial for others who might have similar problems. We have had different options should we allow guest login during the project so that's why it was important to us.
Here's a couple things to check.
Make sure any other developer are registered as test accounts.
https://developers.google.com/games/services/console/testpub#enabling_accounts_for_testing
Make sure you're both running the app in debug mode or you're signing it with the same certificate.
https://developer.android.com/tools/publishing/app-signing.html#studio
If you change the package name, make sure you make that change in the build.gradle file, not just in the AndroidManifest.xml file.
Hopefully, if you check those issues, you'll get things going. Otherwise, I would recommend looking through Google's troubleshooting documentation.