How to obtain a Google Identity Service (GIS) ID Token?
Problem
Dear team, I got an email telling me to migrate from the old Google Sign In library to the new Google Identity Services. I'm having a hard time with it. I posted this same question on Stack Overflow. In chat, a Google Developer Expert for Identity Platform recommended me to ask my question here. So here it is: Previously, I did (simplified for clarity): [code block] (I know what you're thinking. Why is this guy putting an id token in a variable named access token? It's because I didn't know any better at the time I was building this code. With Facebook's sign in lib, I get an access token, which I use to retrieve the user's email and name. I built Google sign in, thinking it would work the exact same way. I thought the id token was the access token, at the time of development. So bear with me, please.) Now, I'm trying (simplified for clarity): [code block] With the old google sign in library, I validated the access (id) token server side as such: `Payload payload = await GoogleJsonWebSignature.ValidateAsync(accessToken);` This also returned the user's email and name in the payload. The access/id token I am getting back from GIS, is much shorter than the old one from GAPI. An online token debugger tells me it's not a valid JWT token. The ValidateAsync method throws an exception: `JWT must consist of Header, Payload, and Signature` No surprise, considering it's not a valid JWT token. I also tried the following call: `Payload payload = await JsonWebSignature.Ver
Error Output
exception: `JWT must consist of Header, Payload, and Signature`
Unverified for your environment
Select your OS to check compatibility.
1 Fix
Migrate to Google Identity Services for ID Token Retrieval
The error occurs because the new Google Identity Services (GIS) library returns an ID token that is not being processed correctly. Unlike the previous Google Sign-In library, GIS uses a different method to obtain and validate ID tokens, which are valid JWTs. The shorter token you are receiving is likely due to a misconfiguration in the token request process.
Awaiting Verification
Be the first to verify this fix
- 1
Update to Google Identity Services
Ensure that you have included the Google Identity Services library in your project. This is necessary for obtaining ID tokens using the new API.
html<script src='https://accounts.google.com/gsi/client' async defer></script> - 2
Initialize Google Identity Services
Set up the Google Identity Services client with your client ID. This is crucial for authenticating users and obtaining the ID token.
javascriptconst client = google.accounts.oauth2.initTokenClient({ client_id: 'YOUR_CLIENT_ID', scope: 'profile email', callback: (response) => { // Handle the response } }); - 3
Obtain the ID Token
Invoke the token client to request an ID token. This will prompt the user to sign in and return a valid ID token upon successful authentication.
javascriptclient.requestAccessToken(); - 4
Validate the ID Token Server-Side
Once you have the ID token, validate it on your server using the Google API client library. Ensure you are using the correct method to validate JWT tokens.
csharpPayload payload = await GoogleJsonWebSignature.ValidateAsync(idToken); - 5
Extract User Information
After validation, extract user information such as email and name from the payload returned by the validation method.
csharpstring email = payload.Email; string name = payload.Name;
Validation
To confirm the fix worked, ensure that the ID token is successfully obtained and validated without throwing exceptions. You should be able to extract user information from the validated payload without errors.
Sign in to verify this fix
Environment
Submitted by
Alex Chen
2450 rep