CredentialManager and Google Identity Signin API How to

I'm extremely confuse and lost on how to proceed with the "recent" google authenticate process For context I'm compiling an aosp, the goal of my apk is to get the personal infos (the user google image account) .

OK so if i take the official example (with my already existing accountManager) (I'm sorry if some information are inaccurate that is the first time I'm implementing android google api)

        private val accountManager by lazy { AccountManager.get(context) }
            ...
        val googleAccount = accountManager.getAccountsByType(ACCOUNT_TYPE_GOOGLE).lastOrNull()
///googleAccount contain my email and account name
        val googleIdOption: GetGoogleIdOption = GetGoogleIdOption.Builder()
            .setFilterByAuthorizedAccounts(true)
            .setServerClientId(googleAccount!!.name)//WEB_CLIENT_ID
            .setAutoSelectEnabled(true)
            .
("<nonce string to use when generating a Google ID token>")
            .build()
        Log.d(TAG, "testGoogleAccountInfos() googleIdOption:$googleIdOption")

for the things I don't understand:

1. setServerClientId(googleAccount!!.name)//WEB_CLIENT_ID From the official documentation: In the Credentials page, create an Android client ID for your app if you don't already have one. You will need to specify your app's package name and SHA-1 signature. If i understand correctly, I have to create a google account so that i can register my apk, so that other google account can re-register themself using my apk? but they are already registered with the account manager. Also if I recall correctly deprecated GoogleSignInOptions did not need such a things. Is that some new mandatory process or a good practice advice that can be skipped?

2. setNonce("nonce string to use when generating a Google ID token") I've readed the documentation and kinda understand what it does, for the parameter the documentation specify: from a cryptographically generated random number on the server side or from a pre-existing identifier, such as a session or transaction ID. on the server side??? the server are the google one are they not? And for the session/transaction id, do you know what is the good common approach to generate it?

3. now let's assume everything went fine and my user is registered/connected. From the different documentations GetGoogleIdOption, Authenticate, etc..) I really don't see a way to get the account information such as the user account picture. I've seen other post such as google-sign-in but to my understanding the methods are deprecated.

I'm sorry if some part are confused and thanks you in advance for any help.

-- Edit Ok i really need help, I restarted from a clean environment and tried to follow step by step the google example

On the step of "Create OAuth client ID" you are required to provide your keystore in the SHA-1 certificate fingerprint. How is that acceptable?! if I'm trying to integrate or migrate my api call, i will not use the official google account to do it... and if I'm using a throwable account i will not load into it nor my production keystore nor my debug one for obvious reason.

I'm really lost, did i misinterpret or miss something, can't i just do a classic connect email/password to access my account?

Ok, this is worse than I anticipated. First you need to know that, yes you need an account and you to be able to do the API call. You either need an OAuth client ID of type:

• Android: that require the APK keystore SHA-1
• Web application: IF and ONLY IF the the signature used for the APK is not already known by the Google store. If it does, you will have the error "activity is cancelled by the user". No, this is not a joke.

If you are compiling an aosp you will need the Google library and it's dependencies (static_libs):

"play-services-auth-api-phone-18.0.2",
"play-services-fido-20.0.1",
"play-services-auth-base-18.0.10",
"play-services-base-18.3.0",
"play-services-basement-18.3.0",
"play-services-tasks-18.1.0",

"credentials-1.2.2",
"play-services-auth-21.2.0",
"credentials-play-services-auth-1.2.2",

"googleid-1.1.1",

Beware that some dependencies need to declare their own static_libs to be able to compile (if a compilation error occurs, look at other dependencies and check if they do not have the needed resources)

Then for the Api-calls as stated in the official doc (my example will be using an web-application vendorid):

val signInWithGoogleOption: GetSignInWithGoogleOption =
GetSignInWithGoogleOption.Builder(tmp_vendor_id_web)
    .build()
val request: GetCredentialRequest = GetCredentialRequest.Builder()
    .addCredentialOption(signInWithGoogleOption)
    .build()

lifecycleScope.launch {
    try {
        Log.d(TAG, "googleSigninTest() coroutineScope.launch")
        val result = credentialManager.getCredential(
            request = request,
            context =  this@MainActivity,
        )
        handleSignIn(result)
    } catch (e: Exception) {
        Log.e(TAG, "Error during sign-in: ${e.message}")
    } finally {
        Log.d(TAG, "googleSigninTest() coroutineScope. isRequestInProgress done")
    }
}

The handleSignIn receives a GetCredentialResponse that can be transfomed into a GoogleIdTokenCredential to be able to retrieve user information:

GoogleIdTokenCredential.createFrom(credential.data)