iosunity-game-engineoauth-2.0arcorear-foundation

Authentication Problems using Google's ARCore API


What happened so far?

I have an iOS application running, which makes use of the ARfoundation to show virtual objects in the realworld and the ARCore API to host and resolve cloud anchors https://developers.google.com/ar/develop/cloud-anchors

So far, I have managed to get the hosting process done with the use of an API-Key. However, by using an API-Key the Cloud Anchors can only be hosted for 1 day. To extend the cloud anchors time-to-live (up to 365 days) a Keyless authentication must be used (Oauth2).

Unfortunatly I have no experience with Cryptograhy, Authentication-Processes or similar but are always open to learn something new.

Setup

First of all, I have created a service-account within google dev console and downloaded the credentials in json format.

Management API

Googles documentation recommends to use their OAuth2l to manage the cloud anchors. I am able to read all cloud anchors, whenever I host them with the API-Key. Since they have expired since I am trying to get keyless-auth. running, reading the Management API just returns an empty list (which is fine imo).

Getting ID-Token

With the help of Postman I can get an id-token successfully, by passing a JWT token (hand-generated in jwt.io): Postman Request config JWT Creation

Successful response of API: Postman Response

Authenticating in Unity

Google's ARCore Extensions for Unity's ARFoundation add a function called SetAuthToken(string token) to the ArCloudAnchorManager which should be executed with ah valid access-token before hosting the cloud anchor with the function HostCloudAnchorAsync(...).

In a first step I try to hard-code the id-token to the source-code to see if the authentication works at all (my token are valid for 60min, within this time im able to build and test the app :)).

I have tried passing the id-token to the SetAuthToken() function, without any error but when hosting the cloud anchor I receive "ErrorNotAuthorized".

With all the different token types (bearer-, id-, access-token) I am very confused and dont know how to authenticate properly.

Could please somebody help me understanding what I am doing wrong?


Solution

  • ok guys, just figured it out:

    Since I am using a service account for token generation, I had to pass the JWT directly to the API, not trying to receive another id- or acccess-token from google's autorization servers.

    The JWT has to be in this format to get access to the ARCore API:

    header:
    {
      "alg": "RS256"
      "typ": "JWT"
      "kid": "25224xxxxxxxxxxxxxxxxxxxxxxxxxxxd0acf866"  -> private key id
    }
    payload:
    {
      "iss": "service-account@xxxxxxxxxxxxxxxxxx.iam.gserviceaccount.com" -> service account
      "sub": "service-account@xxxxxxxxxxxxxxxxxx.iam.gserviceaccount.com" -> service account
      "aud": "https://arcore.googleapis.com/" -> access to ARCore API
      "exp": 1726302582
      "iat": 1726298982
    }
    

    Just in case somebody stumbles over similar issue in the future :)