Google OAuth2 cannot get profile info

Question

I'm using the https://accounts.google.com/o/oauth2/auth? endpoint to obtain the id_token.

The scopes are openid profile email.

The problem is that when I try to verify that id_token I get iss, azp, aud, sub, email, email_verified, iat, exp, jti. And as you can see there is no any profile info like given_name, family_name, picture.

The official doc says that it should contain profile info:

// These seven fields are only included when the user has granted the "profile" and
 // "email" OAuth scopes to the application.
 "email": "testuser@gmail.com",
 "email_verified": "true",
 "name" : "Test User",
 "picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
 "given_name": "Test",
 "family_name": "User",
 "locale": "en"

All permissions are granted.

UPDATE

So in case anyone ever needs it.

As Vladimir Serykh mentioned, to get profile info we need to hit the /userinfo endpoint. But this endpoint takes access_token as a Bearer token in a Authorization header, so you need obtain that too.

So basically we need to call the OAuth2 with the response_type='id_token token' query parameter. After that the responseUrl will contain access_token too.

Next you just need to call the https://openidconnect.googleapis.com/v1/userinfo endpoint with a Authorization header set to Bearer your_access_token. You will get a response wiht the profile info:

"sub": "user_id",
"name": "Name Lastname",
"given_name": "Name",
"family_name": "Lastname",
"picture": "pic_url",
"email": "example@gmail.com",
"email_verified": true,
"locale": "en"

Thank you again, Vladimir Serykh

Answer 1

It's not very clear how old the documentation is (by the link you provided) and is it relevant to your case.

I know that different Identity Providers can work slightly different. And I know cases when you should make a separate call with obtained ID token to /userinfo endpoint to get user info.

---

There is some different Google documentation for Google Identity Platform.

1. It has description of ID tokens.

   https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo

   Google ID Tokens may contain the following fields (known as claims):

   

   Notice that it doesn't have always in Provided column. I think that it could be different for different APIs.

2. The same docs have section "Obtaining user profile information"

   It explains where to get the /userinfo endpoint URL and how to call it. In the response you should receive the info you need.

---

My guess why it's not working in your case is that you are using /tokeninfo endpoint. It's not a part of OpenID Connect standard. It just validates the token and parses it (does the same job as https://jwt.io). And the original ID token doesn't contain that claims for some reason. Therefore /tokeninfo endpoint doesn't return them to you.

But according to Google's documentation and you should use /userinfo endpoint to obtain user info claims.

You can find description of this endpoint in OpenID Connect specification: https://openid.net/specs/openid-connect-core-1_0.html#UserInfo

5.3 UserInfo endpoint

The UserInfo Endpoint is an OAuth 2.0 Protected Resource that returns Claims about the authenticated End-User. To obtain the requested Claims about the End-User, the Client makes a request to the UserInfo Endpoint using an Access Token obtained through OpenID Connect Authentication.