android - Should I use GoogleAuthUtil.getToken(...) or not?

Question

Background:

I need to authenticate on my server back-end so I know the client is genuine. In my Android game I connect to Games.API via GoogleApiClient.

I only want to have to sign in once, which I want to do via Games.API, as this gives me many advantages (Google Play Games leaderboards, achievements, etc.)

I have been able to get an authorisation token using GoogleAuthUtil.getToken(...) which I can do after I sign into Games.API, which seems to give me a token. Good so far.

But Google says this is not safe and says I should migrate to ID token flow instead. But, as I understand it this approach would require me to use

Intent signInIntent = Auth.GoogleSignInApi.getSignInIntent(mGoogleApiClient);
startActivityForResult(signInIntent, RC_SIGN_IN);

which means instigating an additional sign in to that for Games.API. Furthermore, it is not possible to addApi both Games.API and Auth.GOOGLE_SIGN_IN_API to the same GoogleApiClient !

Ok, so upgrade to the latest google-play-services (at least r29), using which I can use Games.API with Games.getGamesServerAuthCode(...) to obtain an auth token for my server. But this has two problems: (1) it requires Android 6.0 or above which blocks out 80% of the market, and (2) it's deprecated !

---

Question:

Should I use GoogleAuthUtil.getToken(...) or not, and if not what are my options given that I only want to sign in using Games.API ?

By sign in I mean present the user with log in visuals. I don't mind signing into something else so long as the user does not have to interact with the sign in...

---

Note:

I originally asked this question when I first started out. The current question hopefully clarifies the situation.

Answer 1

Firstly, I should not use GoogleAuthUtil.getToken(...). It's deprecated; end of.

To achieve what I want I found the following works perfectly... whether it's the best way I have no idea.

First, sign in using Auth.GOOGLE_SIGN_IN:

GoogleSignInOptions gso = new GoogleSignInOptions.Builder(
                                          GoogleSignInOptions.DEFAULT_SIGN_IN)
    .requestEmail()
    .requestIdToken("YOUR-SERVER-CLIENT-ID")
    .build();

mGoogleApiClientForSignIn = new GoogleApiClient.Builder(mActivity, this, this)
    .addApi(Auth.GOOGLE_SIGN_IN_API, gso)
    .build();

mGoogleApiClientForSignIn.connect();

On success this will eventually call onConnected(...) from where you can negotiate a second sign in to Games.API. This has to be performed separately on a new GoogleApiClient because you can't mix Games.API and Auth.GOOGLE_SIGN_IN:

mGoogleApiClientForGames = new GoogleApiClient.Builder(mActivity, this, this)
    .addApi(Games.API).addScope(Games.SCOPE_GAMES)
    .addApi(Drive.API).addScope(Drive.SCOPE_APPFOLDER)
    .build();

mGoogleApiClientForGames.connect();

As per the new Play Games Permissions update for 2016, the GoogleSignIn only appears once per game (even between devices !), after which the user is not presented with any visual log in screens for GoogleSignIn. The only visual login will be the Saved Games snapshot selection screen.

This works with Android 2.3 (use google-play-services r28) and without deprecation warnings. Huzzah !