According to the implementation guide and common sense, I'd like to verify the JWT token issued to an user who has logged in to my site through the Google Identity Toolkit, to prevent forgery and.. just in case.
A POST request through cURL (code below) to https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo containing the idToken (string), localId (list) and email (list) should suffice. My application uses as a local id the tokenId issued by the IDSP.
However, this is what I get:
Error: call to URL https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo?key=MyAPIKey failed with status 500, response { "error": { "code": 500, "message": null } } , curl_error , curl_errno 0
And frankly, I'm at utter loss: my Google-fu only turned up logging out and back in, but unsurprisingly it hasn't solved the issue.
Of further concern is the necessity of fetching the user display name and image, through the same relyingparty.
Code
function verifytoken($data){
$url = "https://www.googleapis.com/identitytoolkit/v3/relyingparty/getAccountInfo?key=MyAPIKey";
var_dump($data);
$content = json_encode($data);
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_HTTPHEADER,
array("Content-type: application/json"));
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $content);
$json_response = curl_exec($curl);
$status = curl_getinfo($curl, CURLINFO_HTTP_CODE);
if ( $status != 201 ) {
die("Error: call to URL $url failed with status $status, response $json_response, curl_error " . curl_error($curl) . ", curl_errno " . curl_errno($curl));
}
curl_close($curl);
$response = json_decode($json_response, true);
var_dump($response);
}
$tok=array('idToken'=>$gitkitUser->getUserId(),'localId'=>array($gitkitUser->getUserId()),'email'=>array($gitkitUser->getEmail()));
verifytoken($tok);
