Google Oauth2 verifyIdToken return invalid token signature with valid id_token

5
votes

I'm trying to work with the php client of google Oauth2 api to validate an id_token. The id_token is provided by a javascript app on which the user login his google account, and i'm givin this token to my php api server, in order to validate it and retrieve the right informations from my bdd.

The login in javascript is successfull and the access and id_token seems right, but when I try to verify it with Google_Client->verifyIdToken()

$client = new Google_Client();
$ticket = $client->verifyIdToken(myToken);

, it return an invalid token signature exception (fail when trying to use the google cert to valid the token).

My first assumption was to think the token is not valid, so to make sur it is, i submited it to google validation url https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=token

it return user info, so my token seems to be valid : 

{
issuer: "accounts.google.com",
issued_to: "id",
audience: "id",
user_id: "id",
expires_in: 2149,
issued_at: 1397636222,
email: "mail",
verified_email: true
}

Tried everything i can think of, but can't solve this one. can someone help me ?

EDIT : I pass it only the id_token wich i get when i authenticate on my javascript app

access_token: "ya ... Es"
authuser: "1"
client_id: "81 ... .apps.googleusercontent.com"
code: "4/9... gI"
cookie_policy: "single_host_origin"
expires_at: "1397723048"
expires_in: "3600"
g-oauth-window: Window
g_user_cookie_policy: "single_host_origin"
hd: "dmic.fr"
id_token: "ey... d8E" <====================================
issued_at: "1397719448"
num_sessions: "2"
prompt: "none"
response_type: "code token id_token gsession"
scope: "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/plus.me"
session_state: "9 ... 2162..936b"
state: ""
status: Object
token_type: "Bearer"

at some point i also tried to pass the whole access_token to $client->setAccessToken() and call $client->verifyIdToken() with no parameters (extract id_token from acess_token himself) with the same result.

All the code i use is already posted, i also tried to set apikey, client_id, client_secret, with no result

2
google-api-php-client
what exactly are you passing to verifyIdToken? can you post some of the code? - Vinicius Pinto
@ViniciusPinto i edited my post - jbduzan
I just did a small test and it worked fine, not sure what could be going wrong with your code. I'd double check that the id_token PHP is receiving is exactly the same as the one returned by the JS lib. - Vinicius Pinto
i already did that, that exactly the same - jbduzan

2 Answers

1
votes

The parameter you supply to the verifyIdToken function should be an object, not just a token string, but you might want to try a different approach.

Try passing the code property from the Javascript object you posted above into the PHP Client's authenticate function. This should authenticate the user on the server side, and populate the PHP Client object's access token for you. You can then call verifyIdToken with no arguments. Something like this: 

$client = new Google_Client();

// Setup Client Id and secret
...

//Authenticate client with the code posted via javascript
$client->authenticate($code);

// Verify the id token
$verifiedToken = $client->verifyIdToken();

You may also need to update your Google API PHP library, I think they recently changed the format of objects returned from these APIs.

1
votes

I had a similar problem, I've got an "Invalid token signature" error from oauth2client, but it worked with the tokeninfo API call.

In my case it was probably caused by the crypto lib used by oauth2client, as the problem disappeared when I replaced pycrypto 2.6 with pyopenssl 0.15.1. PyCrypto bug maybe?

EDIT: Yep, verified, it's a PyCrypto bug. It has been closed 20 hours ago :D

https://github.com/google/oauth2client/issues/201