I have implementing the Android Google authentication using google.android.gms.auth.
In the setting for GoogleSignInOptions I used till now requestIdToken, with the understanding that this implements OAuth2 Authorization Code flow. This means that it should be using what is known in OAuth2 RFC as response_type=code, code-based that later is validated in the backed.
But digging more into this, I just saw that there is another option requestServerAuthCode, and by looking at it is closer to what I thought I am doing.
Which of these achieves OAuth2 Authorization Code Flow?
Thanks!
With the ID token flow, you're only using Google Sign In to obtain the identity of the user. See https://android-developers.googleblog.com/2016/01/using-google-sign-in-with-your-server.html.
To use authorization codes, typically with your server, see https://android-developers.googleblog.com/2016/02/using-credentials-between-your-server.html