3

i use this method for get id token:

GoogleSignInAccount acct = googleSignInResult.getSignInAccount();
String toekn_id = acct.getIdToken();

Now, how to verify the integrity of the ID token on the server?

google:

Warning: Do not accept plain user IDs, such as those you can get with the GoogleSignInAccount.getId() method, on your backend server. A modified client application can send arbitrary user IDs to your server to impersonate users, so you must instead use verifiable ID tokens to securely get the user IDs of signed-in users on the server side.

Markus Kauppinen
  • 3,025
  • 4
  • 20
  • 30
Farzad
  • 1,975
  • 1
  • 25
  • 47

1 Answers1

3

From the documentation: https://developers.google.com/identity/sign-in/web/backend-auth#using-a-google-api-client-library

import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdToken.Payload;
import com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;

...

GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory)
    .setAudience(Arrays.asList(CLIENT_ID))
    // If you retrieved the token on Android using the Play Services 8.3 API or newer, set
    // the issuer to "https://accounts.google.com". Otherwise, set the issuer to
    // "accounts.google.com". If you need to verify tokens from multiple sources, build
    // a GoogleIdTokenVerifier for each issuer and try them both.
    .setIssuer("https://accounts.google.com")
    .build();

// (Receive idTokenString by HTTPS POST)

GoogleIdToken idToken = verifier.verify(idTokenString);
if (idToken != null) {
  System.out.println("Valid ID token.");

} else {
  System.out.println("Invalid ID token.");
}

You can read the API docs here: http://javadoc.google-api-java-client.googlecode.com/hg/1.18.0-rc/com/google/api/client/googleapis/auth/oauth2/GoogleIdTokenVerifier.html

To use the APIs, add the following to your build.gradle:

repositories {
    mavenCentral()
}
dependencies {
    compile 'com.google.api-client:google-api-client:1.20.0'
}
Niels
  • 725
  • 5
  • 14
  • i want to check google account id token check after sign in. please answer me: [question 1](http://stackoverflow.com/questions/37172082/android-what-is-transport-and-jsonfactory-in-googleidtokenverifier-builder) and [question 2](http://stackoverflow.com/questions/37163459/android-using-a-google-api-client-library-for-verify-id-token) – Farzad May 12 '16 at 08:50