问题
I want to use Google Play Services so that I can access Google Saved Games API which allows me to seamlessly obtain authorisation tokens using Games.getGamesServerAuthCode(...) for secure server authentication on my server back end. However this function is only available through Google Play Services r29 which requires at least Android 6.0. On the other hand my actual game only requires at least Android 2.3.1.
I'm a little concerned that according to this website Android 6.0 is only available on around 7.5% of Android devices, which kind of reduces my impact as of right now in the market.
My question is - what are the alternative approaches (API's) to server authentication, especially given that Android recommend using Games.getGamesServerAuthCode(...) for security reasons?
What I've found so far
This website gives a more encouraging estimate. I suppose as time goes on the earlier Android versions will diminish and 6.0 will become more popular...
Adding more to the confusion, I just found out that the Games.getGamesServerAuthCode(...) approach is now deprecated, even though it was relatively recently recommended as best practice by Google.
Maybe Google Sign-In for Android could be of help. There's also this Google page on the Google Identity Platform, which states:
Software can obtain OAuth 2.0 Access tokens in a variety of ways, depending on the platform where the code is running. For details, see Using OAuth 2.0 to Access Google APIs and Google Play Services Authorization.
This could possibly solve the deprecation problem, but still requires Android 6.0+...
Tentative solution
Following the advice in noogui's answer below, I currently seem to be making progress. Using google-play-services_lib (r28) allows me to use Android 2.3.1. This approach also seems to solve the deprecation warnings.
Ok, noogui's answer above put me in the right direction. However, this made me think I had to sign in twice - once for Google Play Saved Games - and once again for GoogleSignInApi's due to the following:
Auth.GoogleSignInApi.getSignInResultFromIntent(...);
A bit more digging lead me to maclir's self-answered question in this post, from which I could clearly see how to obtain an authentication token using GoogleAuthUtil.getToken(...) by only logging into Google Play Services, without having to invoke a second log via Auth.GoogleSignInApi.getSignInResultFromIntent(...). This way seems to work fine...
... But this official Android blog post declares that method to be deprecated due to security issues, but does offer a solution using GoogleSignInOptions.Builder.requestIdToken(...), which will presumably not require me to use Auth.GoogleSignInApi.getSignInResultFromIntent(...), as was believed by me from noogui's answer.
I am going to test this next. Hopefully I will be able to get the token from GoogleSignInOptions.Builder.requestIdToken(...) by just signing into Google Saved Games API, and not have to login in to GoogleSignInAPI via Auth.GoogleSignInApi.getSignInResultFromIntent(...) as well...
回答1:
If you use Google Sign-In with an app or site that communicates with a backend server, you might need to identify the currently signed-in user on the server. To do so securely, after a user successfully signs in, send the user's ID token to your server using HTTPS. Then, on the server, verify the integrity of the ID token and retrieve the user's ID from the sub claim of the ID token. You can use user IDs transmitted in this way to safely identity the currently signed-in user on the backend.
Send the ID token to your server
After a user successfully signs in, get the user's ID token:
GoogleSignInResult result = Auth.GoogleSignInApi.getSignInResultFromIntent(data);
if (result.isSuccess()) {
GoogleSignInAccount acct = result.getSignInAccount();
String idToken = acct.getIdToken();
mIdTokenTextView.setText("ID Token: " + idToken);
// TODO(user): send token to server and validate server-side
} else {
mIdTokenTextView.setText("ID Token: null");
}
Full code implementation is found in the Authenticate with a Backend Server guide.
来源:https://stackoverflow.com/questions/39993528/android-balancing-market-presence-api-function-availability-and-approach-to-c