How can I verify a Google authentication API access token

Question

How can I verify a Google authentication access token   I need to somehow query Google and ask  Is  given access token  valid for the  example example com  Google account   Short version  It s clear how an access token supplied through the Google Authentication Api    OAuth Authentication for Web Applications can be used to then request data from a range of Google services  It is not clear how to check if a given access token is valid for a given Google account  I d like to know how   Long version  I m developing an API that uses token-based authentication  A token will be returned upon provision of a valid username password or upon provision of a third-party token from any one of N verifiable services   One of the third-party services will be Google  allowing a user to authenticate against my service using their Google account  This will later be extended to include Yahoo accounts  trusted OpenID providers and so on   Schematic example of Google-based access   alt text http   webignition net images figures auth figure002 png  The  API  entity is under my full control  The  public interface  entity is any web- or desktop-based app  Some public interfaces are under my control  others will not be and others still I may never even know about   Therefore I cannot trust the token supplied to the API in step 3  This will be supplied along with the corresponding Google account email address   I need to somehow query Google and ask  Is this access token valid for example example com   In this case  example example com is the Google account unique identifier - the email address someone uses to log in to their Google account  This cannot be assumed to be a Gmail address - someone can have a Google account without having a Gmail account   The Google documentation clearly states how  with an access token  data can be retrieved from a number of Google services  Nothing seems to state how you can check if a given access token is valid in the first place   Update The token is valid for N Google services  I can t try a token against a Google service as means of verifying it as I won t know which subset of all Google s services a given user actually uses   Furthermore  I ll never be using the Google authentication access token to access any Google services  merely as a means of verifying a supposed Google user actually is who they say they are  If there is another way of doing this I m happy to try

User · Answer

function authenticate google OAuthtoken  user id         access token     google get user token  user id      get existing token from DB      redirecturl       Google Permissions- gt redirecturl       client id         Google Permissions- gt client id       client secret     Google Permissions- gt client secret       redirect uri      Google Permissions- gt redirect uri       max results       Google Permissions- gt max results        url    https   www googleapis com oauth2 v1 tokeninfo access token    access token       response contacts     curl get responce contents  url        response        json decode  response contacts         if isset  response- gt issued to                 return true            else if isset  response- gt error                 return false

User · Answer

I need to somehow query Google and ask  Is this access token valid for example example com    No  All you need is request standard login with Federated Login for Google Account Users from your API domain  And only after that you could compare  persistent user ID  with one you have from  public interface       The value of realm is used on the Google Federated Login page to identify the requesting site to the user  It is also used to determine the value of the persistent user ID returned by Google    So you need be from same domain as  public interface    And do not forget that user needs to be sure that your API could be trusted    So Google will ask user if it allows you to check for his identity

User · Answer

Ok  most answers are valid but not quite right  The idea of JWT is that you can validate the token without the need to contact the issuer everytime  You must check the id and verify the signature of the token with the known public key of the certificate google used to sign the token   See the next post why and how to do this    http   ncona com 2015 02 consuming-a-google-id-token-from-a-server

User · Answer

you can verify a Google authentication access token by using this endpoint   https   www googleapis com oauth2 v3 tokeninfo access token  lt access token gt    This is Google V3 OAuth AccessToken validating endpoint  you can refer from google document below   In OAUTH 2 0 ENDPOINTS Tab   https   developers google com identity protocols OAuth2UserAgent validate-access-token

User · Answer

Ok  most answers are valid but not quite right  The idea of JWT is that you can validate the token without the need to contact the issuer everytime  You must check the id and verify the signature of the token with the known public key of the certificate google used to sign the token   See the next post why and how to do this    http   ncona com 2015 02 consuming-a-google-id-token-from-a-server

User · Answer

For user check  just post get the access token as accessToken and post it and get the response  https   www googleapis com oauth2 v1 tokeninfo access token accessToken   you can try in address bar in browsers too  use httppost and response in java also  response will be like           issued to    xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx apps googleusercontent com         audience    xxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx apps googleusercontent com         user id    xxxxxxxxxxxxxxxxxxxxxxx         scope    https   www googleapis com auth userinfo profile https   gdata youtube com         expires in   3340        access type    offline          The scope is the given permission of the accessToken  you can check the scope ids in this link  Update  New API post as below  https   oauth2 googleapis com tokeninfo id token XYZ123   Response will be as         These six fields are included in all Google ID Tokens    iss    https   accounts google com     sub    110169484474386276334     azp    1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381 apps googleusercontent com     aud    1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381 apps googleusercontent com     iat    1433978353     exp    1433981953        These seven fields are only included when the user has granted the  profile  and      email  OAuth scopes to the application    email    testuser gmail com     email verified    true     name     Test User     picture    https   lh4 googleusercontent com -kYgzyAWpZzJ ABCDEFGHI AAAJKLMNOP tIXL9Ir44LE s99-c photo jpg     given name    Test     family name    User     locale    en      For more info  https   developers google com identity sign-in android backend-auth

User · Answer

As per Google s documentation  you should use Google s AP Client Library that makes this  token verification  claim extraction etc   much easier than writing your own custom code   From a performance perspective  the token should be parsed locally without making a call to Google again  Off-course Google s public key is needed and retrieval of that key is done using a caching strategy  implemented in the Google s client library from  1 above   FYI only  Google also uses a JWT token  See image below for reference

User · Answer

I need to somehow query Google and ask  Is this access token valid for example example com    No  All you need is request standard login with Federated Login for Google Account Users from your API domain  And only after that you could compare  persistent user ID  with one you have from  public interface       The value of realm is used on the Google Federated Login page to identify the requesting site to the user  It is also used to determine the value of the persistent user ID returned by Google    So you need be from same domain as  public interface    And do not forget that user needs to be sure that your API could be trusted    So Google will ask user if it allows you to check for his identity

User · Answer

For user check  just post get the access token as accessToken and post it and get the response  https   www googleapis com oauth2 v1 tokeninfo access token accessToken   you can try in address bar in browsers too  use httppost and response in java also  response will be like           issued to    xxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx apps googleusercontent com         audience    xxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxx apps googleusercontent com         user id    xxxxxxxxxxxxxxxxxxxxxxx         scope    https   www googleapis com auth userinfo profile https   gdata youtube com         expires in   3340        access type    offline          The scope is the given permission of the accessToken  you can check the scope ids in this link  Update  New API post as below  https   oauth2 googleapis com tokeninfo id token XYZ123   Response will be as         These six fields are included in all Google ID Tokens    iss    https   accounts google com     sub    110169484474386276334     azp    1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381 apps googleusercontent com     aud    1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381 apps googleusercontent com     iat    1433978353     exp    1433981953        These seven fields are only included when the user has granted the  profile  and      email  OAuth scopes to the application    email    testuser gmail com     email verified    true     name     Test User     picture    https   lh4 googleusercontent com -kYgzyAWpZzJ ABCDEFGHI AAAJKLMNOP tIXL9Ir44LE s99-c photo jpg     given name    Test     family name    User     locale    en      For more info  https   developers google com identity sign-in android backend-auth

User · Answer

Try making an OAuth-authenticated request using your token to https   www google com accounts AuthSubTokenInfo   This is only documented to work for AuthSub  but it works for OAuth too   It won t tell you which user the token is for  but it will tell you which services it s valid for  and the request will fail if the token is invalid or has been revoked

User · Answer

function authenticate google OAuthtoken  user id         access token     google get user token  user id      get existing token from DB      redirecturl       Google Permissions- gt redirecturl       client id         Google Permissions- gt client id       client secret     Google Permissions- gt client secret       redirect uri      Google Permissions- gt redirect uri       max results       Google Permissions- gt max results        url    https   www googleapis com oauth2 v1 tokeninfo access token    access token       response contacts     curl get responce contents  url        response        json decode  response contacts         if isset  response- gt issued to                 return true            else if isset  response- gt error                 return false

User · Answer

Try making an OAuth-authenticated request using your token to https   www google com accounts AuthSubTokenInfo   This is only documented to work for AuthSub  but it works for OAuth too   It won t tell you which user the token is for  but it will tell you which services it s valid for  and the request will fail if the token is invalid or has been revoked

User · Answer

As per Google s documentation  you should use Google s AP Client Library that makes this  token verification  claim extraction etc   much easier than writing your own custom code   From a performance perspective  the token should be parsed locally without making a call to Google again  Off-course Google s public key is needed and retrieval of that key is done using a caching strategy  implemented in the Google s client library from  1 above   FYI only  Google also uses a JWT token  See image below for reference

User · Answer

Here s an example using Guzzle           param string  accessToken JSON-encoded access token as returned by  Google Client- gt getAccessToken   or raw access token     return array false False if token is invalid or array in the form        array         issued to    gt   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx apps googleusercontent com         audience    gt   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx apps googleusercontent com         scope    gt   https   www googleapis com auth calendar         expires in    gt  3350        access type    gt   offline            public static function tokenInfo  accessToken        if  strlen  accessToken             return false             if  accessToken 0                      accessToken   json decode  accessToken - gt access token              guzzle   new  GuzzleHttp Client         try            resp    guzzle- gt get  https   www googleapis com oauth2 v1 tokeninfo                  query    gt    access token    gt   accessToken                     catch ClientException  ex            return false             return  resp- gt json

User · Answer

Google oauth code flow response in addition to access token also returns id token that contains useful for validation info in encrypted form      One thing that makes ID tokens useful is that fact that you can pass   them around different components of your app  These components can use   an ID token as a lightweight authentication mechanism authenticating   the app and the user  But before you can use the information in the ID   token or rely on it as an assertion that the user has authenticated    you must validate it       Validation of an ID token requires several steps      Verify that the ID token is a JWT which is properly signed with an appropriate Google public key   Verify that the value of aud in the ID token is equal to your app   s client ID   Verify that the value of iss in the ID token is equal to accounts google com or https   accounts google com   Verify that the expiry time  exp  of the ID token has not passed   If you passed a hd parameter in the request  verify that the ID token has a hd claim that matches your Google Apps hosted domain    https   developers google com identity protocols OpenIDConnect validatinganidtoken link has code samples for validation of ID tokens   See also https   security stackexchange com questions 37818 why-use-openid-connect-instead-of-plain-oauth

User · Answer

I need to somehow query Google and ask  Is this access token valid for example example com    No  All you need is request standard login with Federated Login for Google Account Users from your API domain  And only after that you could compare  persistent user ID  with one you have from  public interface       The value of realm is used on the Google Federated Login page to identify the requesting site to the user  It is also used to determine the value of the persistent user ID returned by Google    So you need be from same domain as  public interface    And do not forget that user needs to be sure that your API could be trusted    So Google will ask user if it allows you to check for his identity

User · Answer

you can verify a Google authentication access token by using this endpoint   https   www googleapis com oauth2 v3 tokeninfo access token  lt access token gt    This is Google V3 OAuth AccessToken validating endpoint  you can refer from google document below   In OAUTH 2 0 ENDPOINTS Tab   https   developers google com identity protocols OAuth2UserAgent validate-access-token

User · Answer

I need to somehow query Google and ask  Is this access token valid for example example com    No  All you need is request standard login with Federated Login for Google Account Users from your API domain  And only after that you could compare  persistent user ID  with one you have from  public interface       The value of realm is used on the Google Federated Login page to identify the requesting site to the user  It is also used to determine the value of the persistent user ID returned by Google    So you need be from same domain as  public interface    And do not forget that user needs to be sure that your API could be trusted    So Google will ask user if it allows you to check for his identity

User · Answer

An arbitrary OAuth access token can t be used for authentication  because the meaning of the token is outside of the OAuth Core spec   It could be intended for a single use or narrow expiration window  or it could provide access which the user doesn t want to give   It s also opaque  and the OAuth consumer which obtained it might never have seen any type of user identifier   An OAuth service provider and one or more consumers could easily use OAuth to provide a verifiable authentication token  and there are proposals and ideas to do this out there  but an arbitrary service provider speaking only OAuth Core can t provide this without other co-ordination with a consumer   The Google-specific AuthSubTokenInfo REST method  along with the user s identifier  is close  but it isn t suitable  either  since it could invalidate the token  or the token could be expired   If your Google ID is an OpenId identifier  and your  public interface  is either a web app or can call up the user s browser  then you should probably use Google s OpenID OP   OpenID consists of just sending the user to the OP and getting a signed assertion back  The interaction is solely for the benefit of the RP  There is no long-lived token or other user-specific handle which could be used to indicate that a RP has successfully authenticated a user with an OP   One way to verify a previous authentication against an OpenID identifier is to just perform authentication again  assuming the same user-agent is being used  The OP should be able to return a positive assertion without user interaction  by verifying a cookie or client cert  for example   The OP is free to require another user interaction  and probably will if the authentication request is coming from another domain  my OP gives me the option to re-authenticate this particular RP without interacting in the future    And in Google s case  the UI that the user went through to get the OAuth token might not use the same session identifier  so the user will have to re-authenticate   But in any case  you ll be able to assert the identity

User · Answer

An arbitrary OAuth access token can t be used for authentication  because the meaning of the token is outside of the OAuth Core spec   It could be intended for a single use or narrow expiration window  or it could provide access which the user doesn t want to give   It s also opaque  and the OAuth consumer which obtained it might never have seen any type of user identifier   An OAuth service provider and one or more consumers could easily use OAuth to provide a verifiable authentication token  and there are proposals and ideas to do this out there  but an arbitrary service provider speaking only OAuth Core can t provide this without other co-ordination with a consumer   The Google-specific AuthSubTokenInfo REST method  along with the user s identifier  is close  but it isn t suitable  either  since it could invalidate the token  or the token could be expired   If your Google ID is an OpenId identifier  and your  public interface  is either a web app or can call up the user s browser  then you should probably use Google s OpenID OP   OpenID consists of just sending the user to the OP and getting a signed assertion back  The interaction is solely for the benefit of the RP  There is no long-lived token or other user-specific handle which could be used to indicate that a RP has successfully authenticated a user with an OP   One way to verify a previous authentication against an OpenID identifier is to just perform authentication again  assuming the same user-agent is being used  The OP should be able to return a positive assertion without user interaction  by verifying a cookie or client cert  for example   The OP is free to require another user interaction  and probably will if the authentication request is coming from another domain  my OP gives me the option to re-authenticate this particular RP without interacting in the future    And in Google s case  the UI that the user went through to get the OAuth token might not use the same session identifier  so the user will have to re-authenticate   But in any case  you ll be able to assert the identity

User · Answer

Here s an example using Guzzle           param string  accessToken JSON-encoded access token as returned by  Google Client- gt getAccessToken   or raw access token     return array false False if token is invalid or array in the form        array         issued to    gt   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx apps googleusercontent com         audience    gt   xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx apps googleusercontent com         scope    gt   https   www googleapis com auth calendar         expires in    gt  3350        access type    gt   offline            public static function tokenInfo  accessToken        if  strlen  accessToken             return false             if  accessToken 0                      accessToken   json decode  accessToken - gt access token              guzzle   new  GuzzleHttp Client         try            resp    guzzle- gt get  https   www googleapis com oauth2 v1 tokeninfo                  query    gt    access token    gt   accessToken                     catch ClientException  ex            return false             return  resp- gt json

User · Answer

Google oauth code flow response in addition to access token also returns id token that contains useful for validation info in encrypted form      One thing that makes ID tokens useful is that fact that you can pass   them around different components of your app  These components can use   an ID token as a lightweight authentication mechanism authenticating   the app and the user  But before you can use the information in the ID   token or rely on it as an assertion that the user has authenticated    you must validate it       Validation of an ID token requires several steps      Verify that the ID token is a JWT which is properly signed with an appropriate Google public key   Verify that the value of aud in the ID token is equal to your app   s client ID   Verify that the value of iss in the ID token is equal to accounts google com or https   accounts google com   Verify that the expiry time  exp  of the ID token has not passed   If you passed a hd parameter in the request  verify that the ID token has a hd claim that matches your Google Apps hosted domain    https   developers google com identity protocols OpenIDConnect validatinganidtoken link has code samples for validation of ID tokens   See also https   security stackexchange com questions 37818 why-use-openid-connect-instead-of-plain-oauth

[web-services] How can I verify a Google authentication API access token?

Examples related to web-services

Examples related to api

Examples related to oauth

Examples related to google-oauth

Examples related to google-authentication