What is the proper way to validate google granted OAuth tokens in a node.js server?

Anton I. Sipos picture Anton I. Sipos · May 1, 2013 · Viewed 7.4k times · Source

I'm trying to authenticate a mobile application for the Android platform to a custom node.js server api. I would like to use Google OAuth2 tokens for this rather than roll my own authentication, since Android devices with Google Play installed make this available to app developers. I'm using the GoogleAuthUtil.getToken call from the Google Play Services library, documented here. I'm trying to follow the advice outlinedin this android developers blogpost

The getToken method is returning in my case a long 857 byte string. If I try to pass this token to Google's TokenInfo endpoint, it returns:

{'error': 'invalid_token', 'error_description': 'Invalid Value'}

What am I doing wrong here? In the 'scope' of the getToken call, I am sending: audience:server:client_id:**i_put_my_clientid_here**. I have a clientid generated for "installed applications". Using this client id, the call to getToken doesn't work at all. When I generated a client id for a "service account", the call succeeds, but I get an 857 byte token that fails when passed to the TokenInfo endpoint as described above.

EDIT: I also created a client id for "web applications", as it appears that is the right client id to use when calling getToken. But the behavior is the same, I get back an 857 byte token that doesn't validate when calling Google's endpoint.

How can I properly get a valid auth token using Google Play services on Android? Once I have the right token, what is the right node.js library to validate it server side? Can I use passport-google-oauth ?

Answer

Tim Bray picture Tim Bray · May 1, 2013

Hm, this is really a comment rather than an answer, but I can’t put newlines in those:

  1. it has to be the web-side Clent ID that goes in the put_my_clientid_here spot
  2. if GoogleAuthUtil.getToken() gives you a String withou throwing an Exception, it really ought to be valid. When you hit tokeninfo, did you use ...tokeninfo?id_token=<857-byte-value-here>
  3. if you’re a rubyist, grab the google-id-token gem and see if it can validate your 857-byte token.