GoogleIdToken.Payload.getEmailVerified() returning false for Google Apps accounts

[GoogleCodeExporter]

Version of google-api-java-client: 1.16.0-rc

Java environment: Java 7

Describe the problem.

I *think* this is likely a problem with Google's OAuth implementation and not 
the client library, but I have no idea how I should file bugs against that.

When I use GoogleIdToken.Payload.getEmailVerified() with Google accounts, I 
always get false. However, the following content is in the IdToken (using 
response.getIdToken() and parsing the response manually):

{
  "email" : "ej@lectorius.com",
  "hd" : "lectorius.com",

  ... many fields omitted ...

  "verified_email" : false,
  "email_verified" : "true"
}

Two issues here:

1. The deprecated verified_email does not agree with email_verified.
2. email_verified is a *string* not a boolean, so its getting parsed as false 
by Jackson I think?

I *think* this used to work, but I'm not 100% sure. Thanks!

Original issue reported on code.google.com by e...@evanjones.ca on 7 Aug 2013 at 7:55

[GoogleCodeExporter]

I think I figured this out. The code (I think) is:
https://code.google.com/p/google-api-java-client/source/browse/google-api-client
/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleIdToken.java

... which is parsing the old "verified_email" part, not "email_verified" (from 
the standard). This used to work because they agreed. It no longer works 
because "verified_email" is false.

For my reference, the spec I think applies is here, which states it should be a 
boolean, not a string:
http://openid.net/specs/openid-connect-messages-1_0-20.html#rfc.section.2.5

However Google's docs include an example of it as a string:
https://developers.google.com/accounts/docs/OAuth2Login#obtainuserinfo

I think the fix is:

1. Parse email_verified in preference to verified_email, as either a string or 
a boolean.
2. Fix Google's endpoint to make sure these two fields agree.
3. Fix Google's endpoint to return email_verified as a boolean?

(I think this whole mess gets parsed using the following code, which is 
basically calling Jackson?)which is parsed using:
https://code.google.com/p/google-http-java-client/source/browse/google-http-clie
nt/src/main/java/com/google/api/client/json/webtoken/JsonWebSignature.java

(Also OXAuth parses this as a boolean:
https://svn.gluu.info/repository/openxdi/oxAuth/Client/src/main/java/org/xdi/oxa
uth/client/UserInfoClient.java)

Original comment by e...@evanjones.ca on 7 Aug 2013 at 8:24

[GoogleCodeExporter]

We need to parse the boolean email_verified as the spec says.  However, first 
we need Google's endpoint to be fixed.  I've contacted the engineers behind 
Google's endpoint for that.  Clearly the end goal should be to follow the 
specification exactly and use "email_verified" and make it a boolean.

Thanks for reporting the bug!

Original comment by yan...@google.com on 13 Aug 2013 at 12:58

• Changed state: Accepted
• Added labels: Type-Enhancement, Milestone-Version1.17.0, Component-Auth
• Removed labels: Type-Defect

[GoogleCodeExporter]

https://codereview.appspot.com/13431043/

Original comment by pele...@google.com on 3 Sep 2013 at 11:47

• Changed state: Fixed

[GoogleCodeExporter]

Note the following: The method also now returns a Boolean, so users should also 
perform a null check.

if(x.getEmailVerified())  // Could result in a NullPointerException

Boolean emailVerified = x.getEmailVerified();
if(emailVerified != null && emailVerified) // Safe

Original comment by ngmic...@google.com on 10 Sep 2013 at 3:43