Menu
I have an Android client getting an authentication token from Google Play Services, by using GoogleAuthUtil.getToken(Context context, Account account, String scope).
This is then sent to a backend (Go) server, which checks that the token was signed by one of the Google signing certificates from https://www.googleapis.com/oauth2/v1/cert. To do this, it needs to look up the certificate assigned to the "kid" in the token header.
99% of the time, this works just fine, but I have regular situations where the "kid" given does not correspond to any published Google certificates, and so I can't auth the token.
Edit:
I've added extensive logging on the server to try and track this down, and there are some relationships worth noting:
kid is only used for a single user. I often see multiple requests over several days from the same user with a given invalid kid, but only ever from that user.kid never uses a valid kid for any request, or any other kid for a request, even if they are days apart. Afaik Google cycles their certificates every 24 hours or so.My current thoughts are that it's probably from users who have downloaded the APK from a site other than Google Play, but I have no way of verifying this right now.
Edit: There is an issue tracker for this, but it seems that it has been marked as a low priority. If anyone has this issue, please let it be know on the tracker. https://issuetracker.google.com/issues/37734997
842
A bit late, but for anyone experiencing the same, I would suggest to check the Installer of your app.
Using PackageManager.getInstallerPackageName()
getInstallerPackageName (String packageName) Retrieve the package name of the application that installed a package. This identifies which market the package came from
If the value is "com.android.vending" then the app was installed from the Play Store otherwise handle the other vendors.
102
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
