Google Play Integrity has incompatible dependency

Runtime Framework
1

We want to integrate the google play integrity API into our app and have the verdict processing happening server-side. I’ve tried adding the go client library to our nakama runtime module but it has a dependency with golang.org/x/oauth2 v0.35.0.

I can see that the latest Nakama (3.37.0) is built using golang.org/x/oauth2 v0.34.0

I’m not sure if there is anything I can do on my side to resolve this issue as this dependency is required by the integrity client package | go.mod

Is there anything I can do on my side to resolve this indirect dependency?
Are there any plans in the near future to upgrade Nakama to use v0.35.0 of the oauth2 package?

I assume Nakama implements the integrity API itself (or something very similiar) in order to handle IAP / Subscription validation with Google. We don’t have IAP in our game and only want to validate that the app has been installed legitimately via the Play Store.

  1. Versions: Nakama {v3.37.0}
  2. Server Framework Runtime language Go v1.44.2
plugin was built with a different version of package golang.org/x/oauth2/internal

Thanks in advance!

2

Hi @DWoodhouse22,

Sometimes dependencies between Nakama and the custom plugin can be a bit tricky to line up, this may be especially true for the Google Play SDK, which has a very big dependency tree.

We’ll likely do a dependency bump in one of the next releases which may help with your issue, alternatively you have a few options:

  • Attempt to resolve them with Dependency Pinning.
  • Try to import an older version of the Google SDK which is compatible.
  • Just resort to building the requests yourself and use the stdlib http client against the Google API (not sure how easy or feasible this is, depending on the complexity of auth+request itself and surface of the required APIs); avoiding the dependency altogether.

Hope this helps.