IssueTracker

I am implementing Google Sign In in Android. I only need to get the idToken of the Google account.

For implementation, I used GoogleSignInClient from com.google.android.gms:play-services-auth. I created an Android OAuth 2.0 Client in Google Cloud -> APIs & Services for debug and release certificates, added the same SHA-1 certificates to Firebase, created an OAuth Consent screen (I use only non-sensitive scopes: openid, userinfo.profile, user.info.email). When I create a GoogleSignInOptions object, I pass the web oauth client id created by the backend developer to requestIdToken(). I check that everything works, the window with the account selection appears, and the token is received.

I decided to upload the new version to the beta, since App Signing is enabled in the Google Play Console, I created an OAuth client for it and added its SHA-1 to Firebase, but after downloading the version from Google Play, when I try to get the idToken of the Google account, I get DEVELOPER_ERROR error code 10. The Internet says that the cause of the error is incorrect SHA-1 or web-client-id, but I've checked it a bunch of times, the SHA-1 is definitely correct because I copied it from Google Play Console, and the web-client-id also seems to be correct because I copied it from Google Cloud.

I also tried another oauth-web-client-id (auto-generated by Google services) in requestIdToken(), the situation is the same, it works on the debug/release build, in Google Play ‘DEVELOPER_ERROR’.

Since only non-sensitive scopes are used, OAuth consent screen verification is optional, but I decided to go through it just in case. I set Publishing status -> In production, User type -> External, successfully passed the verification, but it did not solve the error.

Since Google recommends switching to androidx.credentials.CredentialManager, I rewrote the functionality using it. The situation is the same, the debug/release build works, the version from Google Play gives an error, but now a different "GetCredentialCancellationException: activity is cancelled by the user" on Android 11 Poco X3 and "androidx.credentials.exceptions.GetCredentialCustomException:[28444] Developer console is not set up correctly" on Android 15 Google Pixel 8 Pro. The internet again says the error is in the wrong oauth-client-id, but as I mentioned above I've checked a lot of times, the SHA-1 is definitely correct because I copied it from Google Play, and the web-client-id also seems to be correct because I copied it from Google Cloud.

# implementation of GoogleSignIn using CredentialsManager
private fun onGoogleSignInButtonClick() {
        val signInWithGoogleOption: GetSignInWithGoogleOption = GetSignInWithGoogleOption
            .Builder(serverClientId = this.getString(R.string.oauth_web_client_id))
            .build()

        val request: GetCredentialRequest = GetCredentialRequest.Builder()
            .addCredentialOption(signInWithGoogleOption)
            .build()

        lifecycleScope.launch {
            try {
                val result = credentialManager.getCredential(
                    request = request,
                    context = this@LoginActivity,
                )
                handleSignIn(result)
            }
            catch (e: GetCredentialException) {
                // GetCredentialException is caught
                // this exception was thrown by credentialManager.getCredential()
                Log.e("GoogleSignIn", "getCredential exception", e)
            }
        }

Also, I tried to verify app ownership in OAuth client in Google Cloud Console -> APIs & Services -> Credentials -> OAuth 2.0 Client IDs. But I get the error "This client is not applicable to verify ownership because it's not a Google Play Store app", regardless of which Android OAuth client I'm using with the SHA-1 of google play app signing key or release key. What could be causing this? Maybe the issues are connected?

I also tried to get the SHA-1 of the Google Play App signing certificate using this code.

# function used to get SHA-1 of the certificate
fun getSigningCertificateSHA1(packageName: String, packageManager: PackageManager): String? {
                return try {
                    val packageInfo: PackageInfo = packageManager.getPackageInfo(packageName, PackageManager.GET_SIGNATURES)
                    val signatures = packageInfo.signatures
                    val cert = signatures[0].toByteArray()
                    val md = MessageDigest.getInstance("SHA-1")
                    val publicKey = md.digest(cert)
                    val hexString = StringBuilder()
                    for (byte in publicKey) {
                        val appendString = Integer.toHexString(0xFF and byte.toInt())
                        if (appendString.length == 1) hexString.append("0")
                        hexString.append(appendString)
                    }
                    hexString.toString().uppercase()
                } catch (e: Exception) {
                    e.printStackTrace()
                    null
                }
            }

It gave me the SHA-1 of the legacy Google Play App signing key certificate. Is it possible that Google Play is still using the legacy certificate to sign my app? I can't create an Android OAuth client with this legacy certificate because it's being used in another Android OAuth client in the other Google Cloud account that I no longer have access to.

Build: AI-241.19072.14.2412.12360217, 202409121951
AS: Koala Feature Drop | 2024.1.2 Patch 1
AI-241.19072.14.2412.12360217, JRE 17.0.11+0--11852314x64 JetBrains s.r.o., OS Windows 10(amd64) v10.0 , screens 2400.0x1350.0
Android Gradle Plugin: 8.5.2
Gradle: 8.7
Gradle JDK: JetBrains Runtime 17.0.11
NDK: from local.properties: (not specified), latest from SDK: (not found)
CMake: from local.properties: (not specified), latest from SDK: (not found), from PATH: (not found)