Google-api-php-client: id_token must be passed in or set as part of setAccessToken

Created on 17 Aug 2017  路  2Comments  路  Source: googleapis/google-api-php-client

Hi there,

We have an existing implementation of OAuth for our Android and iOS apps and we're trying to get it working with web. I don't agree that the implementation was done properly, but we're looking to integrate web without making significant changes to BE.

The flow for the native apps is that they're configured for offlineAccess and they send the authorization code and user information to the BE.

In our GoogleServiceProvider:

$this->app->bind(Google_Client::class, function () {
    $client = new Google_Client();
    return $client;
});

Then, the apps/web make a request that hits GoogleSignUp.php, where first we get the Google Client

public function getClientSDK()
{
   if (is_null($this->clientSDK)) {
    $this->clientSDK = GoogleServiceProvider::makeGoogleClient();
    $this->clientSDK->setAuthConfig(\Config::get('third_party.google.web_auth_config'));
    $this->clientSDK->setScopes([\Google_Service_Plus::PLUS_ME, \Google_Service_Plus::USERINFO_EMAIL, \Google_Service_Plus::USERINFO_PROFILE]);
    }
    return $this->clientSDK;
}

Then we try to authenticate, where we run into a problem:

public function authenticate()
{
    try {
        $this->getClientSDK()->fetchAccessTokenWithAuthCode($this->accessToken); //sets access token on clientSDK
        $data = $this->getClientSDK()->verifyIdToken();
        if ($data) {
            if ($this->userId == $data['sub'] && $data['email'] == Input::get('email')) {
               return true;
            } else {
               $message = "Access token doesn't belong to given uid or email";
               $exception = '';
           }
        } else {
              $message = "Couldn't verify the access token";
              $exception = '';
        }
   } catch (\Exception $e) {
       $message = $e->getMessage();
       $exception = (string)$e;
   }
   \Log::warning(
       "User Authentication Failed while logging user in with google",
        array(
            'message' => $message,
            'uid' => $this->userId,
            'email' => Input::get('email'),
            'exception' => (string)$exception
        )
    );
    throw new \Exception("User Authentication Failed - $message");
}

The web call is sending data including user profile information and the authorization code (poorly named as the accessToken, despite there being something already called an accessToken). An error is returned though: id_token must be passed in or set as part of setAccessToken. It seems to always just throw the exception on that last line.

If I'm passing in the authorization code, why would it not be trading the code for an access_token and id_token? Any guidance would be appreciated, thanks

question
Source
picture serkolch

Most helpful comment

It looks like a member of our great community answered your questions. Thanks Community! Please add a comment if you have any more questions and we can reopen this issue.

picture mattwhisenhunt on 1 Jun 2018
👍2

All 2 comments

@serkolch The following issue "id_token must be passed in or set as part of setAccessToken" fixed when I provided "email" scope.

i.e., $client->addScope("email");

reference: https://github.com/google/google-api-php-client/blob/master/examples/idtoken.php

Hope this helps.

narainsagar picture narainsagar on 18 May 2018
1

It looks like a member of our great community answered your questions. Thanks Community! Please add a comment if you have any more questions and we can reopen this issue.

mattwhisenhunt picture mattwhisenhunt on 1 Jun 2018
👍2
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mandavister picture mandavister  路  4Comments
delmohf picture delmohf  路  3Comments
unixkapl picture unixkapl  路  3Comments
Fredyy90 picture Fredyy90  路  3Comments
whatido1 picture whatido1  路  3Comments