What happened so far?
I have an iOS application running, which makes use of the ARfoundation to show virtual objects in the realworld and the ARCore API to host and resolve cloud anchors https://developers.google.com/ar/develop/cloud-anchors
So far, I have managed to get the hosting process done with the use of an API-Key. However, by using an API-Key the Cloud Anchors can only be hosted for 1 day. To extend the cloud anchors time-to-live (up to 365 days) a Keyless authentication must be used (Oauth2).
Unfortunatly I have no experience with Cryptograhy, Authentication-Processes or similar but are always open to learn something new.
Setup
First of all, I have created a service-account within google dev console and downloaded the credentials in json format.
Management API
Googles documentation recommends to use their OAuth2l to manage the cloud anchors. I am able to read all cloud anchors, whenever I host them with the API-Key. Since they have expired since I am trying to get keyless-auth. running, reading the Management API just returns an empty list (which is fine imo).
Getting ID-Token
With the help of Postman I can get an id-token successfully, by passing a JWT token (hand-generated in jwt.io): Postman Request config JWT Creation
Successful response of API: Postman Response
Authenticating in Unity
Google's ARCore Extensions for Unity's ARFoundation add a function called SetAuthToken(string token) to the ArCloudAnchorManager which should be executed with ah valid access-token before hosting the cloud anchor with the function HostCloudAnchorAsync(...).
In a first step I try to hard-code the id-token to the source-code to see if the authentication works at all (my token are valid for 60min, within this time im able to build and test the app :)).
I have tried passing the id-token to the SetAuthToken() function, without any error but when hosting the cloud anchor I receive "ErrorNotAuthorized".
With all the different token types (bearer-, id-, access-token) I am very confused and dont know how to authenticate properly.
Could please somebody help me understanding what I am doing wrong?
ok guys, just figured it out:
Since I am using a service account for token generation, I had to pass the JWT directly to the API, not trying to receive another id- or acccess-token from google's autorization servers.
The JWT has to be in this format to get access to the ARCore API:
header:
{
"alg": "RS256"
"typ": "JWT"
"kid": "25224xxxxxxxxxxxxxxxxxxxxxxxxxxxd0acf866" -> private key id
}
payload:
{
"iss": "service-account@xxxxxxxxxxxxxxxxxx.iam.gserviceaccount.com" -> service account
"sub": "service-account@xxxxxxxxxxxxxxxxxx.iam.gserviceaccount.com" -> service account
"aud": "https://arcore.googleapis.com/" -> access to ARCore API
"exp": 1726302582
"iat": 1726298982
}
Just in case somebody stumbles over similar issue in the future :)