Hey folks! This is not wildly urgent, but I've been working on implementing authentication through Google and I'm having some trouble grabbing the profile-scope data for a GSuite domain. I'm not sure whether the issue is that GSuite or my application is misconfigured, so I was hoping you could provide some troubleshooting guidance.
The flow in the app is this. On the frontend, I call gapi.auth2.authorize to retrieve an ID token and POST it to my backend:
gapi.auth2.authorize(
{
client_id: '...',
hosted_domain: 'ignota.media',
response_type: 'id_token',
scope: 'email profile',
},
(response: any) => {
if (response.error) {
return
}
this.props.onSignInGoogleAccount(response.id_token)
},
)
On the backend, I pass the ID token to https://www.googleapis.com/oauth2/v3/tokeninfo to validate it:
def token_info
@token_info ||= begin
ti = conn.get '/oauth2/v3/tokeninfo', id_token: id_token
body = JSON.parse(ti.body).with_indifferent_access
raise ArgumentError, 'Invalid hosted domain.' unless body[:hd] == 'ignota.media'
body
end
end
After walking through the signup flow, I get a valid token back---but according to the tokeninfo endpoint, it only includes email and email_verified alongside the usual JWT claims:
{
"azp": "...",
"aud": "...",
"sub": "108825333075518568948",
"hd": "ignota.media",
"email": "[email protected]",
"email_verified": "true",
"exp": "1523788138",
"iss": "accounts.google.com",
"jti": "1f171bc654823ed4170a624fc867d97e24af88da",
"iat": "1523784538",
"alg": "RS256",
"kid": "3b547886ff85a3428df4f61db73c1c23982a928e"
}
The documentation at https://developers.google.com/identity/sign-in/web/backend-auth seems to suggest that GETting the tokeninfo endpoint should include name, picture, and locale as well, but try as I may I can't get them into the JWT payload. My GSuite account should---I believe---have all three configured through the "Users" panel of the admin interface.
Any idea what I might be doing wrong?
I was running into this too, and found that I had to add permission to the response_type, and openid to the scope in the authorize call.
@dylanscott That did the trick! Thanks so much for sharing your solution. I'mma leave this open as a nudge to update the docs, but it seems to work great.
Found this trying to diagnose an error which occurred as of today, with previously working code.
Because it might be helpful to people who find this issue in the future , as of today, Google's auth response now only includes a picture url if you have explicitly set a profile picture.
Most helpful comment
I was running into this too, and found that I had to add
permissionto theresponse_type, andopenidto the scope in the authorize call.