Hi All,
I am using the flutter google sign in plugin for social login with backend server(by OAuth 2).
I should use the verifiable ID tokens to securely get the user IDs of signed-in users on the server side
I tried to use the flutter google sign in to get the id token as follows :
I simply follow the document and get the
GoogleSignIn _googleSignIn = new GoogleSignIn(
scopes: [
'email',
'openid',
'profile',
'https://www.googleapis.com/auth/contacts.readonly',
],
);
_googleSignIn.signIn().then<void>((GoogleSignInAccount googleSignInAccount) {
googleSignInAccount.authentication.then<void>((GoogleSignInAuthentication googleSignInAuthentication) {
I find that it is not able to retrieve the id token.
I add the flutter firebase plugin to my project.
I assume that my config(including the google-services.json) should be correct because I finally get the id token from googleSignInAccount and firebaseUser as follow :
_googleSignIn.signIn().then<void>((GoogleSignInAccount googleSignInAccount) {
googleSignInAccount.authentication.then<void>((GoogleSignInAuthentication googleSignInAuthentication) {
_auth.signInWithGoogle(idToken: googleSignInAuthentication.idToken, accessToken: googleSignInAuthentication.accessToken).then((FirebaseUser firebaseUser) {
firebaseUser.getIdToken(refresh: true).then((String idToken) {
print('id token =$idToken');
}, onError: (Object error) {
print('error in fetching firebase user id token. error=$error');
});
However, I find that the googleSignInAccount's idToken is invalid :
, where the XYZ is the googleSignInAccount's idToken.
Here is the exception from google :
{
"error_description": "Invalid Value"
}
I also test it in verification APIs in backend server :
<dependency>
<groupId>com.google.apis</groupId>
<artifactId>google-api-services-oauth2</artifactId>
</dependency>
It is invalid.
Then, I tried to the firebaseUser's idToken instead. However, it doesn't work as well.
In my backend server verification,
<dependency>
<groupId>com.google.firebase</groupId>
<artifactId>firebase-admin</artifactId>
<version>6.3.0</version>
</dependency>
Here is the exception
I think my token is signed with the public key and is not expired because I can see the details in
https://jwt.io/ Header :
{
"alg": "RS256",
"kid": "b89f7346a0985f421dcd8d30c0b30eebfae19a1e"
}
1) Am I doing anything wrong in getting the id token for my backend server authentication?
2) Why the googleSignInAccount's idToken is invalid but that can be used in flutter firebase auth?
3) Why the firebaseUser's idToken isn't signed by a valid public key?
4) Should I just pass the access token to my backend server instead and verify the azp and aud?
Thanks!