Missing information from Google ID Token in PHP

Question

I'm using Google OAuth 2.0 for my server-side web app with PHP 5.4.45 and Google API Client PHP Library version 2.1.1.

I can successfully exchange the authorization code with the refresh_token , access_token and id_token , I can correctly verify the id_token and extract the user's data from it but some information is missing.

I requested profile and email scopes, which both get correctly displayed in the consent screen and in the user's applications settings, but, while the email is available, all the claims associated with the profile scope are missing from the id_token (name, picture, etc...).

I have tried with different users and the problem persists.

This is the code I'm using (just for testing purposes):

require_once 'php/libs/google_api_client_library/vendor/autoload.php';

if(!isset($_GET['code'])){
    die("code parameter not set");

}else{
    //exchange 'code' with access token, refresh token and id token
    $data = array(
        'code' => $_GET['code'],
        'client_id' => $MY_CLIENT_ID,
        'client_secret' => $MY_CLIENT_SECRET,
        'redirect_uri' => 'https://www.mywebsite.com/oauth2callback.php',
        'grant_type' => 'authorization_code'
    );
    $options = array(
        'http' => array(
            'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
            'method'  => 'POST',
            'content' => http_build_query($data)
        )
    );
    $response = file_get_contents('https://accounts.google.com/o/oauth2/token', false, stream_context_create($options));

    if($response){
        $tokens = json_decode($response);

        $client = new Google_Client();

        //validate idToken and get user info
        $idtoken = $client->verifyIdToken($tokens->id_token);

        echo "<h1>ID_TOKEN</h1>";
        var_dump($idtoken);
    }
}

The weirdest thing is that it used to work correctly before, and then it suddenly started behaving like that, and I don't remember making any changes to this code.

I also noticed that this happens only server-side, with PHP, because everything is fine with the JavaScript API Client Library.

Any ideas of why this is happening?

Let me know if you need any further information and thanks in advance!

Answer 1

I don't know what exactly was the problem, but with the help of some examples I have found on the internet I used Google_Service_Oauth2 class and edited my code as follows:

require_once 'php/libs/google_api_client_library/vendor/autoload.php';

if(!isset($_GET['code'])){
    die("code parameter not set");

}else{
    $client = new Google_Client();
    $client->setClientId($MY_CLIENT_ID);
    $client->setClientSecret($MY_CLIENT_SECRET);
    $client->setApplicationName('MyApplicationName');
    $client->setRedirectUri('https://www.mywebsite.com/oauth2callback.php');
    $oauth = new Google_Service_Oauth2($client);

    $client->authenticate($_GET['code']); //exchange 'code' with access token, refresh token and id token

    $accessToken = $client->getAccessToken();

    $userData = $oauth->userinfo->get(); //get user info

    echo "<h1>USER DATA</h1>";
    var_dump($userData);
}

And now everything works just fine!