Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
How to obtain a Google Identity Service (GIS) ID Token?
See original GitHub issueDear team,
I got an email telling me to migrate from the old Google Sign In library to the new Google Identity Services. I’m having a hard time with it. I posted this same question on Stack Overflow. In chat, a Google Developer Expert for Identity Platform recommended me to ask my question here. So here it is:
Previously, I did (simplified for clarity):
<script src="https://apis.google.com/js/api:client.js"></script>
gapi.load();
var auth2 = gapi.auth2.init();
auth2.attachClickHandler();
onGoogleSignIn(googleUser); // attachClickHandler's callback
var profile = googleUser.getBasicProfile(); // profile info accessible
var authResponse = googleUser.getAuthResponse(); // auth response accessible
var accessToken = authResponse.id_token; // get actual access token
(I know what you’re thinking. Why is this guy putting an id token in a variable named access token?
It’s because I didn’t know any better at the time I was building this code. With Facebook’s sign in lib, I get an access token, which I use to retrieve the user’s email and name. I built Google sign in, thinking it would work the exact same way. I thought the id token was the access token, at the time of development. So bear with me, please.)
Now, I’m trying (simplified for clarity):
<script src="https://accounts.google.com/gsi/client"></script>
var gisClient = google.accounts.oauth2.initTokenClient();
gisClient.requestAccessToken();
callback(); // initTokenClient's callback
var accessToken = response.access_token; // get access token in callback
With the old google sign in library, I validated the access (id) token server side as such:
Payload payload = await GoogleJsonWebSignature.ValidateAsync(accessToken);
This also returned the user’s email and name in the payload.
The access/id token I am getting back from GIS, is much shorter than the old one from GAPI.
An online token debugger tells me it’s not a valid JWT token.
The ValidateAsync method throws an exception:
JWT must consist of Header, Payload, and Signature
No surprise, considering it’s not a valid JWT token.
I also tried the following call:
Payload payload = await JsonWebSignature.VerifySignedTokenAsync(AccessToken, options);
Same result.
The official documentation doesn’t say how to validate this token server side for C# / .NET.
The library doc page has a .NET link, but it does not contain useful info like, for example, the Java link does.
There’s another doc page telling me to go for Google Sign In SDK in case I only need email/profile. But that’s precisely the obsolete lib I’m trying to migrate from. Very confusing.
What can I do to get server side id/access token validation (and retrieval of email + profile) working with Google Identity Services?
Thanks in advance for your time.
Sincerely,
Jay
Issue Analytics
- State:
- Created a year ago
- Comments:18 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hi @joshdance, I’ve already found my solution a little while ago, but thanks for the added info.
I ended up retrieving an ID token, instead of an access token. The ID token can be verified as I always did. The ID token also contains all the info that I needed. No access token required.
Found this thread while searching for how to get a GIS ID token.
Saw the thread also has questions about how to validate a GIS ID token with Node.
This article lays it out. I haven’t tried it personally, but may help others who find this. https://developers.google.com/identity/gsi/web/guides/verify-google-id-token
Biggest change I can see is that authentication and authorization are now separate. https://developers.google.com/identity/gsi/web/guides/overview#separated_authentication_and_authorization_moments
, which could be the reason why the tokens being returned are now different.