Google Sign-In: backend verification
Solution 1
The problem here is the client_id that is being used to create an OAuth2Client and the client_id being used as the audience in the verifyIdToken is the same. The client_id for the audience should be the client_id that was used in your frontend application to get the id_token.
Below is sample code from Google documentation.
const {OAuth2Client} = require('google-auth-library');
const client = new OAuth2Client(CLIENT_ID);
async function verify() {
const ticket = await client.verifyIdToken({
idToken: token,
audience: CLIENT_ID, // Specify the CLIENT_ID of the app that accesses the backend
// Or, if multiple clients access the backend:
//[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
});
const payload = ticket.getPayload();
const userid = payload['sub'];
// If request specified a G Suite domain:
//const domain = payload['hd'];
}
verify().catch(console.error);
And here is the link for the documentation.
Hope this helps.
Solution 2
Another quick solution might be change the name of your param "audience" to "requiredAudience". It works to me. If you copied the code from google, maybe the google documentation is outdated.
client.verifyIdToken({
idToken,
requiredAudience: GOOGLE_CLIENT_ID, // Specify the CLIENT_ID of the app that accesses the backend
// Or, if multiple clients access the backend:
//[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
});
Lee Daniel Crocker
Free software developer and advocate, poker player. Over 30 years experience, winner of the Usenix STUG award for contributions to MediaWiki, author of the OneJoker library. My blog is etceterology.
Updated on December 08, 2022Comments
-
Lee Daniel Crocker over 1 year
I have Google Sign-in working on my app: the relevant code is roughly:
var acc = await signInService.signIn(); var auth = await acc.authentication; var token = auth.idToken;This gives me a nice long token, which I then pass to my backend with an HTTP POST (this is working fine), and then try to verify. I have the same google-services.json file in my flutter tree and on the backend server (which is nodejs/restify). The backend code is roughly:
let creds = require('./google-services.json'); let auth = require('google-auth-library').OAuth2Client; let client = new auth(creds.client[0].oauth_client[0].client_id); . . . let ticket = await client.verifyIdToken({ idToken: token, audience: creds.client[0].oauth_client[0].client_id }); let payload = ticket.getPayload();This consistently returns my the error "Wrong recipient, payload audience != requiredAudience".
I have also tried registering separately with GCP console and using those keys/client_id instead, but same result. Where can I find the valid client_id that will properly verify this token?
-
Math Coder 101 over 2 yearsI used the same
client_idfor both front end and back end, as shown in the documentation, and still get this error. -
Lee Daniel Crocker over 2 yearsI'll check it out. In my experience, all Google documentation is wrong or outdated. :-)
-
Akash Gorai almost 2 yearsI don't find any requiredAudience param.
