'I am accessing the Play Integrity API, and the received token is not in the same format as the api document
import com.google.android.gms.tasks.Task; ...
// Receive the nonce from the secure server.
String nonce = ...
// Create an instance of a manager.
IntegrityManager integrityManager =
IntegrityManagerFactory.create(getApplicationContext());
// Request the integrity token by providing a nonce.
Task<IntegrityTokenResponse> integrityTokenResponse =
integrityManager
.requestIntegrityToken(
IntegrityTokenRequest.builder().setNonce(nonce).build());
Decrypt and verify the integrity verdict
When you request an integrity verdict, the Play Integrity API provides a signed response token. The nonce that you include in your request becomes part of the response token.
Token format
The token is a nested JSON Web Token (JWT), that is JSON Web Encryption (JWE) of JSON Web Signature (JWS). The JWE and JWS components are represented using compact serialization.
The encryption / signing algorithms are well-supported across various JWT implementations:
JWE uses A256KW for alg and A256GCM for enc. JWS uses ES256.
The token I received is as follows
Token : ARCnMGsV6sVWEb3urj95OtQ0Fqn37u5fTN-hqbLtRcRv8OhdMg9BkA9Ev7CWSHfCqNc8ToNkXEhOxWpm26_Oyk8MXwS5gtrLv1iiYqMfAdQTIfRq1VrGAwcGRVe5k5kJw7BJ26UOkLk8Gdjjv_BlGNM8y2p_r0mDsoKXqzSDHJzs2D3mX_mWB6e8zB_Sp6ACgF_2IoYyjkk4eMsunR78MaboeD7nkYvHmdBHB_GT77JaPzrsyi_QMTapFfAfD5gZrdNQkkppF6O_7xfH3qv88Wl3Z1feo-R78iLDyBOgRywIq45kl1QUBAtoUzNpltzwCYiejhaHEuLDLdqKuvjWWHWcnFq55YXrPsPK0DyqqYwE-wq-VxanBs6YXe_SU-xc3zsYXnTVo7SP3GdGF2X6I-j3U7d9MzGRyrUWuh1dzXKqQpNUM7rEPRhoyzez0jl7yyny4q9oEOD-RTPc0Igq2aBCf4_zJoXAPhLWgOpTEKLPLB8Qx4v1HqGdDMFF1kAc5fmuAZTOmqigod_IuE1z6LqBXttL-76hXiQkrh-W_tzb3a5vlByJO_1vx-TWT_SnnTevAGdAdRsaCK1w6d4EG7SxSIOR1UutU4fGR9zwZ4nOOq1qMZRpjG2o0CS6zRnnZQi3wX6h8Ocq7FAKhhM8HBdwOrH8UO_VOc6dKrMhZHPv5ZVXX9SzoUq3a0MOk3mk1FL3t2_e8xweL02OK12t_g_JclL1b0UCQF7S4BRtYhIMEZ8IXkkWQxbTsgdJrkRCU_IEP0F-CiNXwauXPC2rzEEbT4u5DuJfAG8qlTIYDQttqJSQm_LbkFM1ih8b-d1xWO4WJ4HYHmDpkY8ZTg
Solution 1:[1]
That response cannot be decoded locally, you have to call the Google API to do it. If you want to decode the token yourself, do not include a Google Cloud Project number when you build the request token.
Solution 2:[2]
As https://issuetracker.google.com/issues/229508066 said:
You are probably setting the setCloudProjectNumber() when making a request to the Integrity API. setCloudProjectNumber() is meant to be used for apps distributed outside of Play (https://developer.android.com/google/play/integrity/setup#apps-exclusively-distributed-outside-google-play) or SDKs (https://developer.android.com/google/play/integrity/setup#sdks). In this case the response cannot be decrypted locally but instead you can only call Google Server to decrypt the token (https://developer.android.com/google/play/integrity/verdict#decrypt-verify-google-servers).
If your app is on Play, consider enabling Integrity API via Play Console (https://developer.android.com/google/play/integrity/setup#apps-on-google-play) and call the API without setting setCloudProjectNumber().
Solution 3:[3]
The response you can decode using any hosted service such as the java API service. Then integrity token can be sent to the Google server from hosted service and you can verify the response received from google. Enable PlayIntegrity API in Google Cloud Platform against the app and download the JSON file and configure the code. Similarly, you should enable PlayIntegrity in Google PlayConsole
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | James Fairweather |
| Solution 2 | Will Luo |
| Solution 3 | John_S |