search

jaredhanson / passport-google-oauth2

Google authentication strategy for Passport and Node.js.
https://www.passportjs.org/packages/passport-google-oauth20/?utm_source=github&utm_medium=referral&utm_campaign=passport-google-oauth20&utm_content=about
MIT License
820 stars 153 forks source link

Issue with google id token #59

Open pankajbansal opened 5 years ago

pankajbansal commented 5 years ago

Hi,

I am using below API

app.get('/auth/google', passport.authenticate('google', { scope: ['profile', 'email'] }));

I am getting the id token from google but when I am using the same id token in below API

https://oauth2.googleapis.com/tokeninfo?id_token=

I am not receiving the profile data. but when I am using the access token I am getting the profile data. issues seems to have only with id token

toritsejuFO commented 4 years ago

I hope I understand you here. So the token (which is the authorization code) is different from the access token.

The access token can be used to access the details of the user without passing in the CLIENT_ID and the CLIENT_SECRET gotten from your google console.

But to get the access token, you pass the code + CLIENT_ID + CLIENT_SECRET, that's how google is able to know/verify that the same application that the user gave authorization to is the same application that wants to now get access to the access token.

It's basically a mechanism to ensure that CLIENT_ID or auth code hijacking is useless, because the CLIENT_SECRET is always needed to get the access token.