How to identify a Google OAuth2 user?

login google-api oauth-2.0
Nathan H picture Nathan H · Nov 29, 2011 · Viewed 57.1k times · Source

I used Facebook login to identify users. When a new user comes, I store their userID in my database. Next time they come, I recognized their Facebook ID and I know which user it is in my database.

Now I am trying to do the same with Google's OAuth2, but how can I recognize the users?

Google sends me several codes and tokens (access_token, id_token, refresh_token), however none of them are constant. Meaning if I log out and log back in 2 minutes later, all 3 values have changed. How can I uniquely identify the user?

I am using their PHP client library: https://code.google.com/p/google-api-php-client/

Answer

Christophe L picture Christophe L · Oct 22, 2012

As others have mentioned, you can send a GET to https://www.googleapis.com/oauth2/v3/userinfo, using the OAuth2 bearer token you just received, and you will get a response with some information about the user (id, name, etc.).

It's also worth mentioning that Google implements OpenID Connect and that this user info endpoint is just one part of it.

OpenID Connect is an authentication layer on top of OAuth2. When exchanging a authorization code at Google's token endpoint, you get an access token (the access_token parameter) as well as an OpenID Connect ID token (the id_token parameter).

Both these tokens are JWT (JSON Web Token, http://tools.ietf.org/html/draft-ietf-oauth-json-web-token).

If you decode them, you'll get some assertions, including the id of the user. If you link this ID to a user in your DB, you can immediately identify them without having to do an extra userinfo GET (saves time).

As mentioned in the comments, these tokens are signed with Google's private key and you may want to verify the signature using Google's public key (https://www.googleapis.com/oauth2/v3/certs) to make sure they are authentic.

You can see what's in a JWT by pasting it at https://jwt.io/ (scroll down for the JWT debugger). The assertions look something like:

{
    "iss":"accounts.google.com",
    "id":"1625346125341653",
    "cid":"8932346534566-hoaf42fgdfgie1lm5nnl5675g7f167ovk8.apps.googleusercontent.com",
    "aud":"8932346534566-hoaf42fgdfgie1lm5nnl5675g7f167ovk8.apps.googleusercontent.com",
    "token_hash":"WQfLjdG1mDJHgJutmkjhKDCdA",
    "iat":1567923785,
    "exp":1350926995
}

There are also libraries for various programming languages to programatically decode JWTs.

PS: to get an up to date list of URLs and features supported by Google's OpenID Connect provider you can check that URL: https://accounts.google.com/.well-known/openid-configuration.

Related questions

how to log in to mysql and query the database from linux terminal

I am using debian linux. I have a linux machine on which mysql is install. I can log in to my linux machine using root user as well as other user. I can connect to mysql database on linux machine …

Read More
Configuration System Failed to Initialize

I'm new to Visual Studio. I'm currently creating a Login form. I have this code. string connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString; try { using (OdbcConnection connect = new OdbcConnection(connectionString)) { connect.Open(); OdbcCommand cmd = new OdbcCommand("SELECT username, password FROM receptionist", connect); …

Read More
How to change users in TortoiseSVN

I was setting up another user to use our SVN repository. He didn't have a username/password, so I logged in with my credentials. We now have a username/password for him. How do I get TortoiseSVN to logout and …

Read More