23 gennaio 2016
Posted by Wolff Dobson, Developer Advocate
We’re taking steps to reduce sign-in friction and unnecessary permission requests for players by moving the Games APIs to a new model. The new interaction is:
In order to respect user’s privacy and avoid revealing their real name, we also have to change the way player IDs work.
Most games should see no interruption or change in service. There are a handful of cases, however, where some change is required.
Below are some issues, along with potential solutions.
These are:
Let’s cover each of these issues in detail.
Early versions of our samples and documentation created a GoogleApiClient as follows:
// Don’t do it this way!
GoogleApiClient gac = new GoogleApiClient.Builder(this, this, this)
.addApi(Games.API)
.addScope(Plus.SCOPE_PLUS_LOGIN) // The bad part
.build();
// Don’t do it this way!
In this case, the developer is specifically requesting the plus.login scope. If you ask for plus.login, your users will get a consent dialog.
Remove any unneeded scopes from your GoogleApiClient construction along with any APIs you no longer use.
// This way you won’t get a consent screen
GoogleApiClient gac = new GoogleApiClient.Builder(this, this, this)
.addApi(Games.API)
.build();
// This way you won’t get a consent screen
If your app uses specific Google+ features, such as requiring access to the player’s real-world Google+ social graph, be aware that new users will still be required to have a G+ profile to use your game. (Existing users who have already signed in won’t be asked to re-consent).
To require Google+ accounts to use your game, change your Games.API declaration to the following:
.addApi(Games.API, new GamesOptions.Builder()
.setRequireGooglePlus(true).build())
This will ensure that your game continues to ask for the necessary permissions/scopes to continue using the player’s real-world social graph and real name profile.
If you call the Games.getCurrentPlayerId() API, the value returned here is the identifier that Games uses for this player.
Traditionally, this value could be passed into other APIs such as Plus.PeopleApi.load. In the new model, this is no longer the case. Player IDs are ONLY valid for use with Games APIs.
The Games APIs (those accessed from com.google.android.gms.games) all use the Player ID, and as long as you use only those, they are guaranteed to work with the new IDs.
A common pattern we’ve seen is:
This is not recommended in the first place, and is even more not-recommended after the shift in scopes.
Reasons not to do this:
Fortunately, the solution is known, and is basically the same as our server-side auth recommendations for web.
Upgrade to the latest version of Google Play Services SDK - at least 8.4.87.
Create a server client ID if you don’t already have one
Go to the Google Developer Console, and select your project
From the left nav, select API Manager, then select Credentials
Select “New Credentials” and choose “OAuth Client ID”
Select “Web Application” and name it something useful for your application
The client id for this web application is now your server client id.
In your game, connect your GoogleApiClient as normal.
Once connected, call the following API:
Games.getGamesServerAuthCode(googleApiClient, “your_server_client_id”)
If you were using GoogleAuthUtil before, you were probably calling this on a background thread - in which case the code looks like this:
// Good way
{
GetServerAuthCodeResult result =
Games.getGamesServerAuthCode(gac, clientId).await();
if (result.isSuccess()) {
String authCode = result.getCode();
// Send code to server.
}
}
// Good way
Send the auth code to your server, exactly the same as before.
On your server, make an RPC to https://www.googleapis.com/oauth2/v4/token to exchange the auth code for an access token, probably using a Google Apis Client Library.
You’ll have to provide the server client ID, server client secret (listed in the Developer Console when you created the server client ID), and the auth code.
See more details here: https://developers.google.com/identity/protocols/OAuth2WebServer?utm_campaign=play games_discussion_permissions_012316&utm_source=anddev&utm_medium=blog#handlingresponse
No, really: You should use a Google Apis Client Library to make this process easier.
Once you have the access token, you can now call www.googleapis.com/games/v1/applications/<app_id>/verify/ using that access token.
Pass the auth token in a header as follows:
“Authorization: OAuth <access_token>”
The response value will contain the player ID for the user. This is the correct player ID to use for this user.
This access token can be used to make additional server-to-server calls as needed.
Let’s be very clear: If you do nothing, unless you are depending explicitly on Google+ features, you will see no change in functionality, and a smoother sign-in experience.
If you are:
Thanks, and keep making awesome games!