In the HTML in the site I have got from the docs here
<script src="https://accounts.google.com/gsi/client"></script>
<div
id="g_id_onload"
data-client_id={googleClientID}
data-login_uri='https://mytestdomain.appspot.com/google'
data-return_uri={uri}
></div>
When the site loads it shows me the prompt to continue with my google account, I click continue and it shows me as logged in, the webhook does get called and I can get the g_csrf_token
from the cookie
const fetch = require("node-fetch");
...
app.post("/google", function(req, res) {
const token = req.cookies.g_csrf_token;
console.log('-------------- token');
console.log(token);
const url = `https://oauth2.googleapis.com/tokeninfo?id_token=${token}`
const getData = async (url) => {
try {
const response = await fetch(url);
console.log('-------------- response');
console.log(response);
const json = await response.json();
console.log('-------------- json');
console.log(json);
res.status(200).send({ data });
} catch (error) {
console.log('-------------- error');
console.log(error);
res.status(400).send({ error });
}
};
if (token) getData(url);
res.status(200).send({ req });
});
But when I try to call the token info endpoint as detailed in the docs here, I get the error
-------------- token
d7d07535919b8e26
-------------- response
Response {
size: 0,
timeout: 0,
[Symbol(Body internals)]: {
body: PassThrough {
_readableState: [ReadableState],
readable: true,
_events: [Object: null prototype],
_eventsCount: 5,
_maxListeners: undefined,
_writableState: [WritableState],
writable: true,
allowHalfOpen: true,
_transformState: [Object],
[Symbol(kCapture)]: false
},
disturbed: false,
error: null
},
[Symbol(Response internals)]: {
url: 'https://oauth2.googleapis.com/tokeninfo?id_token=d7d07535919b8e26',
status: 404,
statusText: 'Not Found',
headers: Headers { [Symbol(map)]: [Object: null prototype] },
counter: 0
}
}
The docs say I can use GET or POST, I've tried both with the same error response
If I try to call the endpoint in the browser by entering https://oauth2.googleapis.com/tokeninfo?id_token=d7d07535919b8e26
into the address bar I get the response
{
"error": "invalid_token",
"error_description": "Invalid Value"
}
So is it not the token in the cookie from the callback that I should be using?
The g_csrf_token is used for double-submission to prevent CSRF attack. It's not the returned ID token.
As mentioned in the offical doc (https://developers.google.com/identity/one-tap/web/guides/verify-google-id-token), the ID token is returned in the 'credential' filed.