Android APK Authentication API

The authentication can occur in three different environments:

  • Payment integrator's Android app
  • Payment integrator's mobile website
  • Payment integrator's desktop website

Regardless of the flow, Google hands off the user interaction to the Payment integrator's software. The payment integrator can choose to show the user an interface or simply return immediately if it already has the appropriate data. All flows result in the integrator producing an AuthenticationResponse. This response is signed and sent back to Google.

The mobile and desktop websites must follow the WebRedirect Authentication API Specification, while the Android App flow must follow the Android Authentication API Specification.

Integrators should implement an Android APK solution to authenticate the users. This authentication is a different modality, but the same purpose as the authentication provided by the Web authentication.

A user authenticates with the payment integrator via an Android Activity. The authentication intent is invoked during account association and for user-challenges. To prevent Android from terminating Play in the background during authentication, the integrator needs to include the following in the activity theme.

<item name="android:windowIsTranslucent">true</item>

Method definition

The intent needs to have these properties:

Method properties
Action com.google.android.payments.standard.AUTHENTICATE_V1
Category N/A

Request

Fields
gspAuthenticationRequest AuthenticationRequest

Authentication request.

gspAssociationId string

If present, this contains an identifier that the integrator uses to look up credentials for the user that is challenged. If this is not present, the user has the option to change the account identification.

Response

After the user completes authentication, your application needs to send a result intent back to Google. If authentication is successful, create an intent and add the encrypted encoded gspAuthenticationResponse as an extra. Next, set the activity result to the appropriate result code.

...
result.setExtra("gspAuthenticationResponse", gspAuthenticationResponse);
setResult(Activity.RESULT_OK, result);
...
finish();

Result

Fields
result int

Activity.RESULT_OK
Authentication was successful.
Activity.RESULT_CANCELED User canceled the flow manually and the flow should be aborted.
Activity.RESULT_FIRST_USER Authentication failed for a fatal reason and the flow should be aborted. IE server returned HTTP 500 response on login.

Extras

Fields
gspAuthenticationResponse AuthenticationResponse

Authentication response. This encoded value must not exceed 1KB.

Other activity requirements

The activity that supports the above mentioned AUTHENTICATE_V1 action must also check that callers of the API only come from Google-signed applications. This will help prevent other apps from trying to invoke your activity and retrieve identity tokens. This can be done by using the supplied StandardPaymentUtils.verifyCallingActivityIsGoogleSigned right after super.onCreate within your [Activity]](https://developer.android.com/reference/android/app/Activity.html) implementation.

Here's a sample:


@Override
protected void onCreate(Bundle savedInstanceState) {
  super.onCreate(savedInstanceState);
  StandardPaymentsUtils.verifyCallingActivityIsGoogleSigned(this);

  ....
}

All activities invoked within the authenticate flow must supply an activity theme that has windowIsTranslucent=true. This must be done with the AndroidManifest android:theme attribute and not using Context.setTheme(). Programmatically, setting the theme doesn’t work correctly for window translucency. Google will enforce that the first activity launched follows this pattern but any sub activities that are also launched must also follow this pattern. If not, then purchases from 3rd party developers might not work.