I am accessing the Play Integrity API, and the received token is not in the same format as the api document

Question

import com.google.android.gms.tasks.Task; ...

// Receive the nonce from the secure server.
String nonce = ...

// Create an instance of a manager.
IntegrityManager integrityManager =
    IntegrityManagerFactory.create(getApplicationContext());

// Request the integrity token by providing a nonce.
Task<IntegrityTokenResponse> integrityTokenResponse =
    integrityManager
        .requestIntegrityToken(
            IntegrityTokenRequest.builder().setNonce(nonce).build());

Decrypt and verify the integrity verdict

When you request an integrity verdict, the Play Integrity API provides a signed response token. The nonce that you include in your request becomes part of the response token.

Token format

The token is a nested JSON Web Token (JWT), that is JSON Web Encryption (JWE) of JSON Web Signature (JWS). The JWE and JWS components are represented using compact serialization.

The encryption / signing algorithms are well-supported across various JWT implementations:

JWE uses A256KW for alg and A256GCM for enc. JWS uses ES256.

The token I received is as follows

Token : ARCnMGsV6sVWEb3urj95OtQ0Fqn37u5fTN-hqbLtRcRv8OhdMg9BkA9Ev7CWSHfCqNc8ToNkXEhOxWpm26_Oyk8MXwS5gtrLv1iiYqMfAdQTIfRq1VrGAwcGRVe5k5kJw7BJ26UOkLk8Gdjjv_BlGNM8y2p_r0mDsoKXqzSDHJzs2D3mX_mWB6e8zB_Sp6ACgF_2IoYyjkk4eMsunR78MaboeD7nkYvHmdBHB_GT77JaPzrsyi_QMTapFfAfD5gZrdNQkkppF6O_7xfH3qv88Wl3Z1feo-R78iLDyBOgRywIq45kl1QUBAtoUzNpltzwCYiejhaHEuLDLdqKuvjWWHWcnFq55YXrPsPK0DyqqYwE-wq-VxanBs6YXe_SU-xc3zsYXnTVo7SP3GdGF2X6I-j3U7d9MzGRyrUWuh1dzXKqQpNUM7rEPRhoyzez0jl7yyny4q9oEOD-RTPc0Igq2aBCf4_zJoXAPhLWgOpTEKLPLB8Qx4v1HqGdDMFF1kAc5fmuAZTOmqigod_IuE1z6LqBXttL-76hXiQkrh-W_tzb3a5vlByJO_1vx-TWT_SnnTevAGdAdRsaCK1w6d4EG7SxSIOR1UutU4fGR9zwZ4nOOq1qMZRpjG2o0CS6zRnnZQi3wX6h8Ocq7FAKhhM8HBdwOrH8UO_VOc6dKrMhZHPv5ZVXX9SzoUq3a0MOk3mk1FL3t2_e8xweL02OK12t_g_JclL1b0UCQF7S4BRtYhIMEZ8IXkkWQxbTsgdJrkRCU_IEP0F-CiNXwauXPC2rzEEbT4u5DuJfAG8qlTIYDQttqJSQm_LbkFM1ih8b-d1xWO4WJ4HYHmDpkY8ZTg

Someone else saying the same thing :-) https://stackoverflow.com/a/71880007/413127 — Blundell, Apr 15 '22 at 10:14
Hi, @Blundell did you know why not come token in JWE format? — axita.savani, Apr 15 '22 at 10:21
I don't sorry, had a quick Google for you and I can't decrypt it — Blundell, Apr 15 '22 at 10:33

score 1 · Answer 1 · answered Apr 20 '22 at 18:35

1

That response cannot be decoded locally, you have to call the Google API to do it. If you want to decode the token yourself, do not include a Google Cloud Project number when you build the request token.

answered Apr 20 '22 at 18:35

James Fairweather

44
4

1

Hi, @James Fairweather If I m not adding "Google Cloud Project number" then it is getting Error -12 that is not Google_Server_Avaialbel. – axita.savani Apr 21 '22 at 12:06
@axita.savani I haven't seen that error, whether I included the Cloud Project Number or not. I wonder if it works in my case because the project I'm working on *is* available in the Play Store, although of course the version I'm using isn't the retail one. Is that the case with your project, or is it not yet published? – James Fairweather Apr 22 '22 at 17:14
Yes! My project is not published but it is in the draft. But after publish also didn't work. Is that any setting on Google Console? – axita.savani Apr 25 '22 at 11:11

score 0 · Answer 2 · answered Apr 27 '22 at 00:16

As https://issuetracker.google.com/issues/229508066 said:

You are probably setting the setCloudProjectNumber() when making a request to the Integrity API. setCloudProjectNumber() is meant to be used for apps distributed outside of Play (https://developer.android.com/google/play/integrity/setup#apps-exclusively-distributed-outside-google-play) or SDKs (https://developer.android.com/google/play/integrity/setup#sdks). In this case the response cannot be decrypted locally but instead you can only call Google Server to decrypt the token (https://developer.android.com/google/play/integrity/verdict#decrypt-verify-google-servers).

If your app is on Play, consider enabling Integrity API via Play Console (https://developer.android.com/google/play/integrity/setup#apps-on-google-play) and call the API without setting setCloudProjectNumber().

score 0 · Answer 3 · answered Jun 01 '22 at 12:58

The response you can decode using any hosted service such as the java API service. Then integrity token can be sent to the Google server from hosted service and you can verify the response received from google. Enable PlayIntegrity API in Google Cloud Platform against the app and download the JSON file and configure the code. Similarly, you should enable PlayIntegrity in Google PlayConsole

Please check this snippet

I am accessing the Play Integrity API, and the received token is not in the same format as the api document

3 Answers3

Linked