Validating/Authenticating a Google Play Games Services ID?

Question

I'm currently working with a backend service, which is allowing users to log in using the Google Games library on a client application.

The user can send us through their gplay id in order to log in, or restore an old account. Including their gplay id, the user is sending us the following;

GPlay ID: gxxxxxxxxx
GPGS client id: xxx-xxxxx.apps.googleusercontent.com
GPGS auth code: 4/xxxxxxxx
message_salt: <ByteString@xxxxxx>

Is there any way to use the above data on the server, and verify that the user owns the GPlay ID that they are sending us?

Currently, I'm not seeing any way to authenticate the user's ownership of their GPlay ID - nor am I seeing any obvious way that it can be compared against their client id or auth code to ensure that the user's request to log in/restore an account using their GPlay ID is legitimate.

Does anyone know of any way that you can verify a user with the above data?

Answer 1

The server auth code is the only piece of information you need to send from the client to your backend server. To use the server auth code:

1. Associate your client app and your backend server app to the same game definition on the Play console.

2. When building the Google Sign-In configuration, add the requestServerAuthCode() option, passing in the client id of your backend application.

3. Once the user authenticates, get the serverAuthCode from the GoogleAccount object.

4. Pass the authCode to your backend server.

5. On the server, exchange the auth code for an access token. This token is specific to your application and the user. Save the refresh token on the server in case you need to refresh the access token.

6. Once you have the access token, verify the token by sending a GET request to www.googleapis.com/games/v1/applications/<app_id>/verify/ . This returns the information about the authenticated player.

There is a sample of both the client and server side code at https://github.com/playgameservices/clientserverskeleton