Best IT Recipes

How to identify a Google OAuth2 user?

I used Facebook to identify users. When a new user arrives, I store his user ID in my database. The next time they come, I found out their Facebook ID, and I know which user he is in my database.

Now I'm trying to do the same with Google OAuth2, but how can I find out the users?

Google sends me several codes and tokens (access_token, id_token, refresh_token), however, none of them are permanent. Value, if I log out and come back 2 minutes later, all 3 values ​​have changed. How can I uniquely identify a user?

I use their PHP client library: https://code.google.com/p/google-api-php-client/

+48
login google-api
Nov 29 '11 at 13:50
source share
6 answers

I inserted this method in google-api-php-client / src / apiClient.php:

public function getUserInfo() { $req = new apiHttpRequest('https://www.googleapis.com/oauth2/v1/userinfo'); // XXX error handling missing, this is just a rough draft $req = $this->auth->sign($req); $resp = $this->io->makeRequest($req)->getResponseBody(); return json_decode($resp, 1); }

Now I can call:

 $client->setAccessToken($_SESSION[ 'token' ]); $userinfo = $client->getUserInfo();

It returns such an array (plus email if this area was requested):

 Array ( [id] => 1045636599999999999 [name] => Tim Strehle [given_name] => Tim [family_name] => Strehle [locale] => de )

The solution came from this thread: https://groups.google.com/forum/#!msg/google-api-php-client/o1BRsQ9NvUQ/xa532MxegFIJ

+26
Jan 03 '12 at 14:00
source share

As already mentioned, you can send GET to https://www.googleapis.com/oauth2/v1/userinfo using the OAuth2 token you just received and you will get a response with some information about the user (id, name etc.).

It is also worth mentioning that Google implements OpenID Connect and that this endpoint of user information is only part of it.

OpenID Connect is an authentication layer on top of OAuth2. When exchanging code authorization on the endpoint of a Google token, you get an access token ( access_token parameter), as well as an OpenID Connect identifier token ( id_token parameter).

Both of these are JWT tokens (JSON Web Token, http://tools.ietf.org/html/draft-ietf-oauth-json-web-token ).

If you decode them, you will get some statements, including the user id . If you associate this identifier with a user in your database, you can immediately identify them without performing an additional user GET (saves time).

As mentioned in the comments, these tokens are signed with the Google private key, and you can verify the signature with the Google public key ( https://www.googleapis.com/oauth2/v1/certs ) to make sure they are genuine.

You can see that in JWT by inserting it into https://jwt.io/ (scroll down for the JWT debugger). The statements look something like this:

 { "iss":"accounts.google.com", "id":"1625346125341653", "cid":"8932346534566-hoaf42fgdfgie1lm5nnl5675g7f167ovk8.apps.googleusercontent.com", "aud":"8932346534566-hoaf42fgdfgie1lm5nnl5675g7f167ovk8.apps.googleusercontent.com", "token_hash":"WQfLjdG1mDJHgJutmkjhKDCdA", "iat":1567923785, "exp":1350926995 }

There are also libraries for various programming languages ​​for JWT software decoding.

+73
22 Oct. '12 at 16:56
source share

It should be noted that the OpenID Connect API no longer returns the id attribute.

The sub attribute now serves as a unique user identity.

See Google Dev OpenID Connect UserInfo

+9
Nov 14 '15 at 19:25
source share

"Who is it?" essentially a service; you need to request access to it as a scope, and then send a request to the Google profile resource server to get an identity. See OAuth 2.0 for more details.

+1
Nov 29 '11 at 18:22
source share

Java version

OAuth2Sample.java

0
May 25 '12 at 12:47
source share

Higher JWTs can be verified locally with a public key (the Google API client library downloads and automatically caches public keys) by checking the token on the Google side using Endpoint https://www.googleapis.com/oauth2/v1/tokeninfo is required. to check whether access to the application has been revoked since the creation of the token.

0
Apr 25 '15 at 14:01
source share


More articles:


All Articles