How to validate an auth token in my custom backend?

[KingZee]

I want to benefit from the classic google play auth experience, but i want to use my own backend once the user is logged in.
I don't want to go through the entire process in android, and then start using my backend to do CRUD, because it is very insecure.
Ultimately, I would like to either :

PlayGamesPlatform.Instance.RequestServerSideAccess(true, async (code) =>
 {
     //send code, which is the initial auth code to my backend and then continue the auth on my own server
     await AuthenticationService.Instance.SignInWithGooglePlayGamesAsync(code);
     Debug.Log("Authorization code: " + AuthenticationService.Instance.AccessToken);
     //send the access token to my backend, which i can then verify the authenticity of, and then continue on my own server
     Token = AuthenticationService.Instance.AccessToken;
 });

I have failed to implement both these things, and I am not sure how to work around them, I don't understand if i should be using the android's client_id and (there is no secret?), or a web client_id secret_id, or should i just use neither, i am completely lost on how to go forward here

here are snippets from my backend for more context :

    let oauth2Client = new OAuth2Client();

    oauth2Client
      .verifyIdToken({
        idToken: token,
        audience: CLIENT_ID, // Specify the CLIENT_ID of the app that accesses the backend
        // Or, if multiple clients access the backend:
        //[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
      })
      .then((data) => data.getPayload())
      .then((data) => {
        console.log(data);
        return res.status(200).json(data);
      });

    let oauth2Client = new google.auth.OAuth2({
      clientId: CLIENT_ID,
      clientSecret: CLIENT_SECRET,
    });

    await oauth2Client.getToken(token, (err, tokens) => {
      if (!err) {
        oauth2Client.setCredentials(tokens);
        console.log(tokens);
      } else return next(err);
    });

none of these methods work, among other things i've tried, with both the auth token and the access token

[KingZee]

After a bit of searching and exploring, here is how I solved my issue :

When trying to reuse the Authorization code generated from the first login response, I needed a redirect_uri in my backend, so you're forced to add it inside the Google Play console, add http://localhost:port/xx as your redirect uri in the console, then add it in the oauth configuration builder in nodejs.
(I also noted that when using the android emulator, if your callback url is localhost/auth, in order to fetch that from the emulator you'd need to query http://10.0.2.2:port/auth.)

After doing this, I realized I needed more scopes, and that my backend would fail because unity does not request enough scope, even though they are enabled in my google cloud console. The only solution to this is downgrading the unitypackage version to 0.10.14, and using PlayGamesClientConfiguration.RequestScopes();

I hope this helps someone who runs through this in the future, and I hope the ability to request new scopes is added, every other SDK (Facebook, Apple Sign in, ... ) allows me to at least get the user's email. It makes no sense for the most basic scope to request on the google console to be removed.

[hippogamesunity]

Unfortunately, scopes are removed in Play Games Services v2 SDK (for security reasons probably). So GPGS devs can't do anything with this.

0.10.14 is a bad option as it will be impossible to build with it soon (due to new Google requirements).

[Vladimir7i]

Can someOne bring example - How to get PlayerID (crossGame on your account)
by calling GET requies for "https://games.googleapis.com/games/v1/players/me/scopedIds"

it's bring error all the time: Error: HTTP/1.1 401 Unauthorized
How to get it? why documentation is empty about that?=( why they ruined crossGaming ID=( if some developers want to use crossGame FriendList system - they can't=(

[hippogamesunity]

Hi, the latest asset version uses V2 and does not support scopes.

[Vladimir7i]

Are Next Generation Player IDs now different for each game? The documentation mentions using the "developer player key" for cross-game player IDs, but there are no examples of how to obtain it. Also, what if I need a cross-game and cross-developer unique player ID for a Friend List system (where friends from other games appear in the roster, and you can invite/join them with the same player ID across games)?

[hippogamesunity]

Implement your own auth system on your backend where an unique ID is your player profile's ID. You can also try Simple Sign In with Google or Play ID, they are based on web OAuth and support scopes, it will also give you Google account ID that is cross-platform (rather than Play Games ID).