Google Identity Signin API always returns NULL with Server Client ID

Question

[Addition]

Based on my observations since having this issue: I feel like the issue is either dealing with...

• A bad Server Client ID
• Additional programming needed that is not provided out-of-the-box (i.e. an app engine module or server)

---

[Original]

I have successfully ran the sample at Google Sign-In Android Sample App. My issue deals with the 2 Activities...ServerAuthCodeActivity and IdTokenActivity.

I went through the process of creating the google-services.json file and placed it in the correct spot. When I ran the app, I was able to successfully use 2 of the 4 provided Activities...

• Sign-in Activity: Basic Signing in
• Sign-in with Drive Activity: Basic Signing in plus Drive Authentication
• ID Token Activity: Retrieves the ID Token form the logged in user
• Server Authentication Code Activity: Retrieve an Authentication code from an authenticated server.

The first 2 examples work very well; however, the last 2 activities just give me a null result.

Before I could run the app, I noticed I needed to provide a server_client_id in strings.xml. I seen that the google-services.json had an OAuth client id that matched the requirements (ending in apps.googleusercontent.com), and placed that client id in the strings.xml file. Note: I tried to create an Android OAuth Client ID in the Google Developer Console, but it stated that I already had an OAuth Client ID for that project / package. So I figured the google-services.json file's client id was correct.

So, is that the correct Server Client ID? Or am I suppose to get that ID from somewhere else?

Edit

Here is my google-services.json file (condensed)

{

 "project_info": {
  ...
 },
 "client": [
   {
     "client_info": {
       ...
     },
     "oauth_client": [
       {
         "client_id": "*****.apps.googleusercontent.com", // HERE
         ...
       }
     ],
     ...
   }
 ],
 ...
}

Here is the result of the Authentication code after signing in

Answer 1

package name + signing cert SHA1 uniquely identifies an Android client. While package name is fixed in Google's sample, you will have to register it together with the signing cert you use (which can either come from your debug key store or a dedicated cert for testing)

Also, the web server needs to be registered in the same dev console project with a "Web" typed OAuth client and you have to paste the client id for that oAuth client into the sample code. - in this sense, you are right, Google in this case cannot provide a sample with zero additional code.

For others using the sample, you will have to change strings.xml to put your client id for your "Web" typed OAuth client below:

<string name="server_client_id">YOUR_SERVER_CLIENT_ID</string>

Just as a side note, the specified server_client_id will be the target audience in the id token or server auth code which you can pass to your server. Your server can then trust the token / code after appropriate validations. This is more secure than a bearer token. You can also take a look at this blogpost: http://android-developers.blogspot.com/2016/01/using-google-sign-in-with-your-server.html

Answer 2

To get the server auth code, you need to request "offline access". Add requestServerAuthCode(), which seems to require your server's client_id (as opposed to any client_id valid for your project):

String serverClientId = getString(R.string.server_client_id);
GoogleSignInOptions gso = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
    .requestScopes(new Scope(/* whatever scope you're needing */))
    .requestServerAuthCode(serverClientId, false)
    .build();

See Google Sign-in for Android: Enabling server-Side access