com.google.android.gms.auth.GoogleAuthException: getToken(Unknown Source) exception

Question 1

After 2 days of research I found that at the time you register your android application in Google Cloud Console -> your project - > API and auth, it ask you for fingerprint in order to generate ClientID and somehow my fingerprint was wrong (I accidentally added ~$ before this cmd keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore | openssl sha1) and due to this it was giving me wrong finger print and was the root cause of:

com.google.android.gms.auth.GoogleAuthException: getToken(Unknown Source) exception.

Question 2

After several hours, I found that in your scope string ("audience:server:client_id:...") you have to use the Client ID of the web application, not the android one.

The client ID of the android app is unused. It's only here to link the package name of your android app with your web app.

Question 3

After reading couple of posts on the internet I generated SHA1 fingerprint value of my keystore as

keytool -exportcert -alias android_keystore -keystore android_keystore -list -v | openssl sha1

due to which I was getting that error. If you see the credentials screen in you google developer console it says you need to use

keytool -exportcert -alias android_keystore -keystore android_keystore -list -v

i.e Don't pipe the output to openssl sha1. Not sure what the difference is but both commands give different values.

You will get multiple fingerprints like MD5, SHA1, SHA256 etc. Use SHA1 value.