I have a game app that is going to be released on Google Play in 2-3 weeks that uses Google sign-in to authenticate users. So, I created a web client ID, linked the project and set up the login environment.
I use Google API from client, get tokenID from Google response, send tokenID to my backend server, verify token and finally get the Google user id from the 'sub' field of the Google json token.
At this point, if the user is a new user I create a new record in my db, if the user already exists I fetch info from that user and authenticate his login.
This is essentially the flow I use to authenticate users at every app start.
From Google API Console / Cloud Platform, I verified my app in the OAuth Consent Screen section and I noticed a rate limit of 100 tokens per minute or 10.000 per day.
So the problem is: looking at current pre-registrations I expect on release day at least 20.000 users sign-ins. I don't use any sensitive or restricted scope, only Google sign-in and Google Play Games base scopes. Is that limit dangerous for me? Will users get error 403 limit exceeded in my case? or does this limit apply only for restricted scopes?
The fastest solution I found is to implement a guest sign-in to prevent users from not being able to sign-in.
Thanks a lot in advance for your support. I'm up for any question or clarification.
To be on the safe side for the user and Google product from abuse, applications that use OAuth and Google Identity have certain quota restrictions based on the risk level of the OAuth scopes an app uses. These limits include the following:
-- A new user authorization rate limit that limits how quickly your application can get new users.
-- A total new user cap. To learn more, see the Unverified apps [1] page.
When an application exceeds the rate limit the user will get: Error 403: rate_limit_exceeded, please have below relevant screenshot [3].
As suggested, if we see that any application will reach the rate limit soon (it seems expected from your comment) via the Google API console or see this error being displayed, we should take action to improve the application’s user experience, we will need to have a request for a rate limit quota increase for the application by following the link [2]. Please have the documentation [3] for detailed explanation about your concern.
[1] https://support.google.com/cloud/answer/7454865
[2] https://support.google.com/code/contact/oauth_quota_increase
[3] https://support.google.com/cloud/answer/9028764?hl=en