It sounds like you're on the right track with your configuration, especially by verifying the WEB_CLIENT_ID and the OAuth consent screen. Just to confirm, are you explicitly requesting the email and profile scopes when setting up your GetSignInWithGoogleOption or GetCredentialRequest? If these scopes aren't included, the ID token might not contain the email claim. Also, make sure your backend verifies the token using the same WEB_CLIENT_ID.