Google Authentication with a Backend Server required Scopes

Question

I am following these instructions (https://developers.google.com/identity/sign-in/android/backend-auth) for getting an ID token to be sent to my Backend but when I set String scopes = "audience:server:client_id:" + Service.SERVER_CLIENT_ID; (Yes the SERVER_CLIENT_ID is not the Android Client ID) I fail to get a token and throws this error.

E/Login: com.google.android.gms.auth.GoogleAuthException: Unknown

However when I use the following scope instead String scopes = "oauth2:profile email";

I successfully get 'a' token but it's not as long as I expected it to be and I'm afraid it might be wrong.

My questions are...

1) Why doesn't the scopes = "audience:server:client_id:" + SERVER_CLIENT_ID; used in the guide work?

2) Is the token I get from using String scopes = "oauth2:profile email"; a safe one for verifying a user on a Backend?

The code is below.

@Override
    protected String doInBackground(Void... params) {
        String accountName = Plus.AccountApi.getAccountName(googleApiClient);
        Account account = new Account(accountName, GoogleAuthUtil.GOOGLE_ACCOUNT_TYPE);
        //String scopes = "oauth2:profile email";
        String scopes = "audience:server:client_id:" + Service.SERVER_CLIENT_ID; // Not the app's client ID.
        Log.d(TAG, "Account Name: " + accountName);
        Log.d(TAG, "Scopes: " + scopes);

        try {
            userIdToken = GoogleAuthUtil.getToken(getApplicationContext(), account, scopes);

            return userIdToken;
        } catch (IOException e) {
            Log.e(TAG, "IOError retrieving ID token.", e);
            return null;
        } catch (UserRecoverableAuthException e) {
            startActivityForResult(e.getIntent(), RC_SIGN_IN);
            return null;
        } catch (GoogleAuthException e) {
            Log.e(TAG, "GoogleAuthError retrieving ID token.", e);
            return null;
        }
    }

Answer 1

When you set the scope to oauth2:profile email you are returned an access token, which is different from an id token.

An access token can be used to access Google APIs, an id token is a JWT that contains identity information about the user that is digitally signed by Google. The formats are different. If you try to authorize an access token using the sample code provided for id tokens you'll get an invalid error.

If you look at the documentation for GoogleAuthUtil.getToken() you'll see that GoogleAuthException is a fatal exception usually caused by a client error such as invalid scope or invalid client. https://developers.google.com/android/reference/com/google/android/gms/auth/GoogleAuthUtil#getToken(android.content.Context, android.accounts.Account, java.lang.String, android.os.Bundle)

Make sure that you have set up both an App and Webserver oAuth2 ID in Google Developer console and that the package name in your manifest matches the package name you provide along with the SHA fingerprint when creating the App ID. Use the Webserver ID as SERVER_CLIENT_ID.

I uploaded some sample code to Github. https://github.com/kmosdev/google-signin-backend-auth

I started with Google's sample sign-in app and modified it to add backend auth. Further details are in the Readme.

Another thing to check is that you have the correct permissions in your manifest file, but I believe you'd get a different error if this was wrong:

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.GET_ACCOUNTS" />
<uses-permission android:name="android.permission.USE_CREDENTIALS" />