search

sahat / satellizer

Token-based AngularJS Authentication
https://satellizer-sahat.rhcloud.com
MIT License
7.86k stars 1.13k forks source link

parsing google token #791

Open blackotruck opened 8 years ago

blackotruck commented 8 years ago

Hello!

I've been using this library for a while, everything was working fine, and still is, except for google oauth. Yesterday I noticed I couldn't loggin with google. so i started debbugging the issue and find out that problem is here

          if (token) {
            if (token.split('.').length === 3) {
              var base64Url = token.split('.')[1];
              var base64 = base64Url.replace('-', '+').replace('_', '/');
              var exp = JSON.parse($window.atob(base64)).exp;
              if (exp) {
                return Math.round(new Date().getTime() / 1000) <= exp;
              }
              return true;
            }
            return true;
          }

The issue is that google is now returning a token in the form ya29..vgIJcUovcUTO9l6dCBZx17me-sagnLFfsO8unYBA0pQ3qOKWUUqBlLAW0elxuDBNTg which generates ["ya29", "", "vgIJcUovcUTO9l6dCBZx17me-sagnLFfsO8unYBA0pQ3qOKWUUqBlLAW0elxuDBNTg"] causing var base64Url = token.split('.')[1]; to receive an empty string.

I have no ide why google is now sending this token faulty token, as i haven't change anything and this was working until last week...

Here is my server side code (using node)

app.post('/node/auth/google', function(req, res) {
  var accessTokenUrl = 'https://accounts.google.com/o/oauth2/token';
  var peopleApiUrl = 'https://www.googleapis.com/plus/v1/people/me/openIdConnect';
  var params = {
    code: req.body.code,
    client_id:  req.body.clientId,
    client_secret: config.credentials.google.secret,
    redirect_uri: req.body.redirectUri,
    grant_type: 'authorization_code'
  };

  // Step 1. Exchange authorization code for access token.
  request.post(accessTokenUrl, { json: true, form: params }, function(err, response, token) {

    var accessToken = token.access_token;
    var refreshToken = token.refresh_token;
    var headers = { Authorization: 'Bearer ' + accessToken };

    // Step 2. Retrieve profile information about the current user.
    request.get({ url: peopleApiUrl, headers: headers, json: true }, function(err, response, profile) {
      if (profile.error) {
        return res.status(500).send({message: profile.error.message});
      }
        var clientResponse = {
          profile : profile, 
          token:accessToken, 
          refresh_token:refreshToken
        };
        res.status(200).send(clientResponse);
    });
  });
});
guillaumegarcia13 commented 8 years ago

Hi, I think the access_token you are referring to is not a JWT (JSON Web Token). But you may also retrieve from the token URL (personnaly, I use https://www.googleapis.com/oauth2/v4/token) another field called id_token which is a JWT and from which you should be able to extract the exp claim.

blackotruck commented 8 years ago

@guillaumegarcia13 Well just as it stopped working out of nowhere, it started working again, google is sending me the right token, but i still don't know what happened