18

Following this post: http://android-developers.blogspot.com/2016/01/play-games-permissions-are-changing-in.html I have obtained a single use authorization code for use on my backend server as follows: 

import com.google.android.gms.games.Games;    
//later
Games.GetServerAuthCodeResult result = Games.getGamesServerAuthCode(gameHelper.getApiClient(), server_client_id).await(); 
if (result.getStatus().isSuccess()) {
    String authCode = result.getCode();
    // Send code to server...

This seems to works fine, but it presents a question:

1) getGamesServerAuthCode and GetServerAuthCodeResult are marked as deprecated. Why? Should I be using something else instead?

2) How would I do something equivalent in an non-Android installed Java application? I am able to obtain a token on the client application, but I also need to obtain a single use code to pass to my backend server like above. I can't find an equivalent function to get a Server Auth Code. (using com.google.api.client.extensions.java6.auth.oauth2)

I am basically trying to follow this flow: https://developers.google.com/games/services/web/serverlogin but in Java, NOT Javascript. I am attempting to do this in an Android app and a desktop Java app.

M1LKYW4Y
  • 598
  • 1
  • 4
  • 19
  • 1
    A program element annotated @Deprecated is one that programmers are discouraged from using, typically because it is dangerous, or because a better alternative exists. Compilers warn when a deprecated program element is used or overridden in non-deprecated code. It does not mean it will go away, be deleted or in anyway removed, it means there is a BETTER way of doing it. Don't panic, keep calm and carry on ;O) – Jon Goodwin Sep 12 '16 at 22:28
  • I understand that. I am looking for the "right" way to do things in Android, since fairly recently (January) google was suggesting using this function. I have the additional problem of a comparable function not existing in the non-Android version of the Java api. – M1LKYW4Y Sep 13 '16 at 09:39
  • 1
    @M1LKYW4Y Did you find the "right" way to do what you wanted in (1) ? I am at exactly the same point in my development. Google seemed to recommend this approach relatively recently, yet the approach seems deprecated already ! –  Oct 12 '16 at 13:04
  • No. I am still using the deprecated method in Android to generate a single use code for the server. The desktop version is worse yet, I have to send the token itself to my server. – M1LKYW4Y Oct 12 '16 at 17:49
  • @M1LKYW4Y I have not been able to get this to work, result.getStatus().isSuccess() is always false, any suggestions or tips, does this still work for you? – mhilmi Dec 06 '16 at 21:47
  • The deprecated code still works, here's a code snippet on the Android side of things. http://pastebin.com/7ztaHFgJ Note that server_client_id is the server application's client id, and to have this work properly the server must be registered in Google Play Games linked applications of type web application (I am fairly certain other types will not work). – M1LKYW4Y Dec 06 '16 at 22:18

2 Answers2

0

There is finally a proper answer to part 1) of this question! In the release notes of gms 10.2.0 https://developers.google.com/android/guides/releases#february_2017_-_v102 the new method of obtaining a server code is described. A good example of how to do this is provided here: https://github.com/playgameservices/clientserverskeleton
I ended up updating Google's baseGameUtils to follow the example above.

Still not sure the proper way to do this for part 2) of the question, at the moment I am sending the token to the server which works but is probably unsafe.

M1LKYW4Y
  • 598
  • 1
  • 4
  • 19
0

1) Yes, in Android use GetServerAuthCodeResult although it is still marked as deprecated. It is the recommended way from Google and it seems they have only forgot to remove the deprecation annotation when releasing to general public.

2) For desktop applications you can follow the instructions here: https://developers.google.com/identity/protocols/OAuth2InstalledApp

Basically from your app you open the system browser (embedded webviews are discouraged) and make a https request to the https://accounts.google.com/o/oauth2/v2/auth endpoint. In the request you supply a local redirect URI parameter i.e. http://127.0.0.1:9004 (you should query your platform for the relevant loopback IP, and start a HTTP listener on a random available port). The authorization code will be sent to your local HTTP listener when the user has given consent or an error such as error=access_denied if the user declined the request. Your application must be listening on this local web server to retrieve the response with the authcode. You also have the option to redirect to a server URI directly claimed by your app, see docs on link above. When your app receives the authorization response, for best usability, it should respond with an HTML page, instructing the user to close the browser tab and return to your app. Also, if you want the Games-scope make sure you are using the https://www.googleapis.com/auth/games as scope in the request, example below, with line breaks and spaces for readability.

https://accounts.google.com/o/oauth2/v2/auth?
  scope=https://www.googleapis.com/auth/games&
  redirect_uri=http://127.0.0.1:9004&
  response_type=code&
  client_id=812741506391-h38jh0j4fv0ce1krdkiq0hfvt6n5amrf.apps.googleusercontent.com

Please note that I think you'll have to create and link an app of type other, in the Google Play Developer Console linked-app, for the localhost redirection to work. Use type Web if you plan to redirect to server URI directly, add your server URI to Authorized redirect URIs in the API Manager under section Credentials.

Browser screenshot:

consent picture

Dan Lowe
  • 51,713
  • 20
  • 123
  • 112
jbilander
  • 611
  • 4
  • 15
  • Pardon my cautiousness, but how do you know the code in 1) is in fact recommended by google and the deprecation is incorrect? Is your source the same article I linked at the top? – M1LKYW4Y Dec 19 '16 at 04:24
  • 1
    Well, I'm not certain, hence the use of "it seems", but it is what Clayton Wilkinson (developer program engineer) at Google says: "The best way to handle this is to..." and "it will be a normal API". And there hasn't been anything else announced from google regarding this issue after that. Also, this is currently the only way to fetch the authcode on Android, I doubt they will remove it anytime soon. That would break a lot of games out there depending on this sign-in feature running their own server backend. – jbilander Dec 19 '16 at 10:13