POST request GetPoIntegrityTokenRequest returns no GetPoIntegrityTokenResponse body

[oSumAtrIX]

About

With PR #2129, PoToken (Proof of origin token) support has been introduced to MicroG GmsCore. Apps such as YouTube rely on PoToken to complete API requests successfully. GmsCore implements a POST request and expects GetPoIntegrityTokenResponse to be sent back as the response, but the response body is empty: #1870 (comment). Therefore, apps such as YouTube stop working.

Reproduction

1. Install MicroG GmsCore that has implemented PR supplement and optimize potoken related services #2129
2. Install YouTube and login
3. Observe the logs:

   03-23 02:34:34.418   907  3961 D ChimeraServiceProvider: serviceIntentCall: com.google.android.gms.potokens.service.START -> Intent { act=com.google.android.gms.potokens.service.START pkg=com.google.android.gms cmp=com.google.android.gms/org.microg.gms.potokens.PoTokensService }
   03-23 02:34:34.421   907   907 D PoTokens: onBind: Intent { act=com.google.android.gms.potokens.service.START pkg=com.google.android.gms cmp=com.google.android.gms/org.microg.gms.potokens.PoTokensService }
   03-23 02:34:34.447   907   991 D PoTokens: bound by: GetServiceRequest{serviceId=POTOKENS, gmsVersion=240204000, packageName='com.google.android.youtube', extras=Bundle[{}]}
   03-23 02:34:34.447   907   991 D PoTokens: PoTokensApiService handleServiceRequest
   03-23 02:34:34.492   907   991 D PoTokens: responseStatusToken packageName: com.google.android.youtube
   03-23 02:34:34.493   907   907 D PoTokens: responseStatusToken start
   03-23 02:34:34.493   907   907 D PoTokens: PoTokenHelper postPoTokenForGms start
   03-23 02:34:34.824   907   907 D PoTokens: PoTokenHelper postPoTokenForGms response: GetPoIntegrityTokenResponse{}
   03-23 02:34:34.824   907   907 D PoTokens: PoTokenHelper postPoTokenForGms end
   03-23 02:34:34.824   907   907 D PoTokens: responseStatusToken end
   

4. Observe [com.google.android.youtube] Video playback fails with HTTP error code 403 #1870

Expected behavior

When MicroG GmsCore makes the POST request GetPoIntegrityTokenRequest, GetPoIntegrityTokenResponse is sent back, the response body is not empty.

Ideas to resolve this issue

• Possibly the request is done incorrectly, using a network debugger such as HttpToolkit (on a rooted device it requires no setup) can give insight on a correct request (Screenshots made after resetting GMS app data because it seems they cache the tokens):
  
  

Screenshots

A request made by MicroG GmsCore to get GetPoIntegrityTokenResponse.

A YouTube request with PoToken bytes from Google Services:

With MicroG GmsCore (What is seen here is an error message that is sent when requesting the PoIntegrityToken fails, there are multiple error messages present with different values, each for every kind of error in the app):

System

Android 14, MicroG GmsCore (verified being spoofed)

[mar-v-in]

The request is likely missing a result from DroidGuard, resulting in the server not providing a token. This will happen when device attestation / safetynet is turned off in microG settings or your device is not capable of executing DroidGuard.

DroidGuard and PoToken are mechanisms to detect non-official software, operating systems and devices. microG does include an implementation of them, but will not make efforts to ensure they will think they are running on an official system. It is up to others to do that if necessary. I just verified that on a device that passes SafetyNet, PoToken works as intended and YouTube can play videos just fine.

As this issue seems to be coming from the context of YouTube ReVanced, I'd like to remind that the main purpose of PoToken is to ban unofficial YouTube apps and their users. If you can't play videos in YouTube ReVanced, that means everything works as intended. YouTube ReVanced and ReVanced in general are not supported or endorsed by microG.