Google 登录：后端验证

Question

I have Google Sign-in working on my app: the relevant code is roughly:

var acc = await signInService.signIn();
var auth = await acc.authentication;
var token = auth.idToken;

This gives me a nice long token, which I then pass to my backend with an HTTP POST (this is working fine), and then try to verify. I have the same google-services.json file in my flutter tree and on the backend server (which is nodejs/restify). The backend code is roughly:

let creds = require('./google-services.json');
let auth = require('google-auth-library').OAuth2Client;
let client = new auth(creds.client[0].oauth_client[0].client_id);
. . .
let ticket = await client.verifyIdToken({
    idToken: token,
    audience: creds.client[0].oauth_client[0].client_id
});
let payload = ticket.getPayload();

This consistently returns my the error "Wrong recipient, payload audience.= requiredAudience".

I have also tried registering separately with GCP console and using those keys/client_id instead, but same result. Where can I find the valid client_id that will properly verify this token?

Answer 1

The problem here is the client_id that is being used to create an OAuth2Client and the client_id being used as the audience in the verifyIdToken is the same. The client_id for the audience should be the client_id that was used in your frontend application to get the id_token .

Below is sample code from Google documentation.

const {OAuth2Client} = require('google-auth-library');
const client = new OAuth2Client(CLIENT_ID);
async function verify() {
  const ticket = await client.verifyIdToken({
      idToken: token,
      audience: CLIENT_ID,  // Specify the CLIENT_ID of the app that accesses the backend
      // Or, if multiple clients access the backend:
      //[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
  });
  const payload = ticket.getPayload();
  const userid = payload['sub'];
  // If request specified a G Suite domain:
  //const domain = payload['hd'];
}
verify().catch(console.error);

And here is the link for the documentation.

Hope this helps.

Answer 2

It has already been mentioned above that requiredAudience works instead of audience , but I noticed requiredAudience works for both {client_id: <CLIENT_ID>} and <CLIENT_ID>. So maybe you were referencing creds.client[0].oauth_client[0] instead of creds.client[0].oauth_client[0].client_id ? I have not been able to find any docs on the difference between requiredAudience and audience , however make sure you are sending just the <CLIENT_ID> instead of {client_id: <CLIENT_ID>} .

Google doc:link

Answer 3

Another quick solution might be change the name of your param "audience" to "requiredAudience", it works to me, if you copied the code from google, maybe the google documentation is outdated.

client.verifyIdToken({
      idToken,
      requiredAudience: GOOGLE_CLIENT_ID,  // Specify the CLIENT_ID of the app that accesses the backend
      // Or, if multiple clients access the backend:
      //[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
  });

Answer 4

verifyIdToken() 's call signature doesn't require the audience parameter. That's also stated in the changelog . So you can skip it, and it'll work. The documentation is kinda misleading on that.

It's also the reason why using requiredAudience works because it actually isn't being used by the method, so it's the same as not providing it.