search

GrapheneOS / os-issue-tracker

Issue tracker for GrapheneOS Android Open Source Project hardening work. Standalone projects like Auditor, AttestationServer and hardened_malloc have their own dedicated trackers.
https://grapheneos.org/
354 stars 20 forks source link

In-app Google account Sign-In using OpenID scopes not working for Google Play Game Services #860

Closed ghost closed 2 years ago

ghost commented 2 years ago

Some games support signing into a Google account for save/data sync. These apps usually use OAuth/OpenID and the games_auth or games auth scope provided by Google Play Game Services (Google Play Games app).

https://developers.google.com/identity/protocols/oauth2/scopes https://developers.google.com/identity/protocols/oauth2/openid-connect

Sandboxed Play Services might be missing shims to make Google Play Games Services sign-in work.

Two example games use Play Games Services sign-in: Cookie Run Kingdom and Clash of Clans. The Google Play Games app also fails to sign-in from this same issue, which provides the ability for these games to sign-in using your Google account.

Logcats for Cookie Run Kingdom sign-in attempt:

12-11 18:58:41.272 31758 31804 I GmsCoreAccountHinter: No Games Java SDK version for com.devsisters.ck. Assuming first generation SDK. Updating active gmscore account. [CONTEXT service_id=1 ]
12-11 18:58:41.273 31758 31804 I GmsCoreAccountHinter: Hinted account Account {name=REDACTED_EMAIL@REDACTED_EMAIL, type=com.google} for com.devsisters.ck [CONTEXT service_id=1 ]
12-11 18:58:41.290 31758 31804 I SignInManagerV2: Recording sign-in successful: request[cxo{gamePackageName=com.devsisters.ck, gameUid=10012, account=<ELLIDED:#########>, playerId=<ELLIDED:#########>, grantedScoped=[email, https://www.googleapis.com/auth/games_lite, openid]}] [CONTEXT service_id=1 ]
12-11 18:58:41.337 31758 31804 W GameRunManager: Can't start a new game run for [GameKey{packageName=com.devsisters.ck}], because there are no active processes [CONTEXT service_id=1 ]
12-11 18:58:41.338 31758 31804 W SignInPerformer-0: No active processes of the calling game: [GameKey{packageName=com.devsisters.ck}] [CONTEXT service_id=1 ]
12-11 18:58:41.339 31758 31804 I SignInPerformer-0: Reporting unresolvable error for [com.devsisters.ck] [CONTEXT service_id=1 ]

Sign-in works and authentication is valid, but it seems to be unable to go through.

Logcats for Clash of Clans sign-in attempt:

12-11 23:09:00.075  1584  2164 I ActivityTaskManager: START u0 {act=com.google.android.gms.auth.GOOGLE_SIGN_IN pkg=com.supercell.clashofclans cmp=com.supercell.clashofclans/com.google.android.gms.auth.api.signin.internal.SignInHubActivity (has extras)} from uid 10222
12-11 23:09:20.893  9368  9397 I LegacyGetServiceValidat: onGetService() from Client SDK version [214516000], Module version [214516044], PGA version [304712040], Account [Account {name=<<default account>>, type=com.google}], Calling package [com.google.android.gms], Game package [com.supercell.clashofclans] [CONTEXT service_id=1 ]
12-11 23:09:21.175  9368  9437 I SignInPerformer-0: Handling request [GetGamesServiceRequest{gamePackageName=com.supercell.clashofclans, gameUid=10222, gamePlayServicesClientLibraryVersion=12451000, sdkVariation=4368, requestedScopes=[https://www.googleapis.com/auth/games_lite], callingIdentity=CallingIdentity{uid=10165, pid=8460, packageName=com.google.android.gms, playServicesClientLibraryVersion=214516000}, requestedAccount=Optional.absent(), forceResolveAccountKey=null, requestedServiceMode=0}], isFirstPartyCaller [true], Overdrive [disabled] [CONTEXT service_id=1 ]
12-11 23:09:21.182  9368  9437 I SignInPerformer-0: 1P application [CallingIdentity{uid=10165, pid=8460, packageName=com.google.android.gms, playServicesClientLibraryVersion=214516000}] was allowed to request for game [com.supercell.clashofclans] [CONTEXT service_id=1 ]
12-11 23:09:21.422  9368  9416 I SignInPerformer-0: Auth request for [com.supercell.clashofclans] is not eligible for auto sign-in. isVisible [false] [CONTEXT service_id=1 ]
12-11 23:09:21.620  4693  4879 E Auth    : [GoogleAccountDataServiceImpl] getToken() -> NEED_REMOTE_CONSENT. App: com.supercell.clashofclans, Service: oauth2:https://www.googleapis.com/auth/games_lite
12-11 23:09:21.674  9368  9416 W SignInPerformer-0: Failed to authorize request [coy{clientPackageName=com.supercell.clashofclans, clientUid=10222, account=<ELLIDED:#########>, requestedScopes=[https://www.googleapis.com/auth/games_lite], shouldIncludeAllGrantedScopes=false, gamesAutoSignInPolicyAction=DO_NOT_APPLY, serverClientId=null, forceRefreshToken=false}] resultStatus [Status{statusCode=SIGN_IN_REQUIRED, resolution=null}] [CONTEXT service_id=1 ]
12-11 23:09:21.689  9368  9416 I SignInPerformer-0: signIn(com.supercell.clashofclans): suppression is not allowed. Triggering resolution. [CONTEXT service_id=1 ]
12-11 23:09:21.690  9368  9416 I SignInPerformer-0: Reporting resolvable error for [com.supercell.clashofclans] [CONTEXT service_id=1 ]
12-11 23:09:23.206  4693  4878 E Auth    : [GoogleAccountDataServiceImpl] getToken() -> NEED_REMOTE_CONSENT. App: com.supercell.clashofclans, Service: oauth2:https://www.googleapis.com/auth/games_lite
12-11 23:09:24.121  4693  9450 E Auth    : [GoogleAccountDataServiceImpl] getToken() -> NEED_REMOTE_CONSENT. App: com.supercell.clashofclans, Service: oauth2:https://www.googleapis.com/auth/games_lite

12-11 23:10:51.360  9368 10575 I PlayerManager: Fetching player: account [<ELLIDED:#########>] gamePackageName [com.supercell.clashofclans] forceServerFetch [false] getLegacyPlayerIdResponse [GetLegacyPlayerIdResponse{wasSuccessful=true, legacyPlayerId=null}] [CONTEXT service_id=1 ]
12-11 23:10:51.379  9368 10575 I SignInPerformer-9: Successfully found game: displayName [Clash of Clans], applicationId [972855262455], packageName [com.supercell.clashofclans] [CONTEXT service_id=1 ]
12-11 23:10:51.392  9368 10575 I GmsCoreAccountHinter: No Games Java SDK version for com.supercell.clashofclans. Assuming first generation SDK. Updating active gmscore account. [CONTEXT service_id=1 ]
12-11 23:10:51.392  9368 10575 I GmsCoreAccountHinter: Hinted account Account {name=REDACTED_EMAIL@REDACTED_EMAIL, type=com.google} for com.supercell.clashofclans [CONTEXT service_id=1 ]
12-11 23:10:51.398  9368 10575 I SignInManagerV2: Recording sign-in successful: request[cxo{gamePackageName=com.supercell.clashofclans, gameUid=10222, account=<ELLIDED:#########>, playerId=<ELLIDED:#########>, grantedScoped=[https://www.googleapis.com/auth/games_lite]}] [CONTEXT service_id=1 ]
12-11 23:10:51.419  9368 10575 W GameRunManager: Can't start a new game run for [GameKey{packageName=com.supercell.clashofclans}], because there are no active processes [CONTEXT service_id=1 ]

GmsCompat seems to acknowledge Play Games Services, but Games.API doesn't seem to exist. Games.API missing is likely why some games are missing from the Play Store and reports the app "not compatible with this device" like Cookie Run Kingdom. 

12-11 23:09:23.710  9368  9368 D GmsCompat/Hooks: Posting notification for service: com.google.android.gms.games.chimera.GamesSyncServiceMainProxy
12-11 23:09:23.777  9368  9437 W GameRunManager: Can't start a new game run for [GameKey{packageName=com.google.android.play.games}], because there are no active processes [CONTEXT service_id=1 ]
12-11 23:09:23.779  9368  9437 W SignInPerformer-3: No active processes of the calling game: [GameKey{packageName=com.google.android.play.games}] [CONTEXT service_id=1 ]
12-11 23:09:23.780  9368  9575 I PlayGamesServices[GamesSyncAdapter]: Starting sync for 250838fa
12-11 23:09:23.781  9368  9437 I SignInPerformer-3: Reporting unresolvable error for [com.google.android.play.games] [CONTEXT service_id=1 ]
12-11 23:09:23.787  9460  9515 W PGAcde  : ezw: 17: API: Games.API is not available on this device. Connection failed with: eyr{statusCode=DEVELOPER_ERROR, resolution=null, message=null}

Google Play Games app failing to sign-in and GmsCompat acknowledging its notification:

12-11 23:18:55.350  9368  9368 D GmsCompat/Hooks: Posting notification for service: com.google.android.gms.games.chimera.GamesAsyncServiceProxy
12-11 23:18:55.355  9368 12207 I SignInPerformer-17: Handling request [GetGamesServiceRequest{gamePackageName=com.google.android.play.games, gameUid=10223, gamePlayServicesClientLibraryVersion=214206000, sdkVariation=4368, requestedScopes=[https://www.googleapis.com/auth/games.firstparty], callingIdentity=CallingIdentity{uid=10223, pid=9460, packageName=com.google.android.play.games, playServicesClientLibraryVersion=214206000}, requestedAccount=Optional.of(Account {name=REDACTED_EMAIL@REDACTED_EMAIL, type=com.google}), forceResolveAccountKey=null, requestedServiceMode=0}], isFirstPartyCaller [true], Overdrive [disabled] [CONTEXT service_id=1 ]
12-11 23:18:55.364  9368 12207 I SignInPerformer-17: Auth request for [com.google.android.play.games] is not eligible for auto sign-in. isVisible [false] [CONTEXT service_id=1 ]
12-11 23:18:55.392  9368 12207 I SignInPerformer-17: Successfully authorized coy{clientPackageName=com.google.android.play.games, clientUid=10223, account=<ELLIDED:#########>, requestedScopes=[https://www.googleapis.com/auth/games.firstparty], shouldIncludeAllGrantedScopes=false, gamesAutoSignInPolicyAction=DO_NOT_APPLY, serverClientId=null, forceRefreshToken=false} [CONTEXT service_id=1 ]
12-11 23:18:55.392  9368 12207 I PlayerManager: Fetching player: account [<ELLIDED:#########>] gamePackageName [com.google.android.play.games] forceServerFetch [false] getLegacyPlayerIdResponse [GetLegacyPlayerIdResponse{wasSuccessful=true, legacyPlayerId=null}] [CONTEXT service_id=1 ]
12-11 23:18:55.401  9368 12207 I SignInPerformer-17: Successfully found game: displayName [Google Play Games], applicationId [593950602418], packageName [com.google.android.play.games] [CONTEXT service_id=1 ]
12-11 23:18:55.411  9368 12207 I GmsCoreAccountHinter: No Games Java SDK version for com.google.android.play.games. Assuming first generation SDK. Updating active gmscore account. [CONTEXT service_id=1 ]
12-11 23:18:55.411  9368 12207 I GmsCoreAccountHinter: Hinted account Account {name=REDACTED_EMAIL@REDACTED_EMAIL, type=com.google} for com.google.android.play.games [CONTEXT service_id=1 ]
12-11 23:18:55.417  9368 12207 I SignInManagerV2: Recording sign-in successful: request[cxo{gamePackageName=com.google.android.play.games, gameUid=10223, account=<ELLIDED:#########>, playerId=<ELLIDED:#########>, grantedScoped=[https://www.googleapis.com/auth/games.firstparty]}] [CONTEXT service_id=1 ]
12-11 23:18:55.421  9368 12207 W GameRunManager: Can't start a new game run for [GameKey{packageName=com.google.android.play.games}], because there are no active processes [CONTEXT service_id=1 ]
12-11 23:18:55.421  9368 12207 W SignInPerformer-17: No active processes of the calling game: [GameKey{packageName=com.google.android.play.games}] [CONTEXT service_id=1 ]
12-11 23:18:55.421  9368 12207 I SignInPerformer-17: Reporting unresolvable error for [com.google.android.play.games] [CONTEXT service_id=1 ]
thestinger commented 2 years ago

Did you install https://play.google.com/store/apps/details?id=com.google.android.play.games? We might need to extend the compatibility layer to it.

ghost commented 2 years ago

@thestinger Yes as that's required for the game to use OpenID/OAuth Google sign-in for the games scope.

ghost commented 2 years ago

Just to add additional confirmation, this has been solved in 2022011009.

Google Play Games app works now. Cookie Run Kingdom now signs in properly via Google Play Games.