different payload from google oauth2 response causes json error

Question

I've got Google's oauth2 working on my app, where id_token is a string delimited with periods. I read here that the id_token is delimited into three parts and the second part contains the actual payload. If I split the string apart and decode the second value I get what I expect using my account. What I don't understand though is when I try on my wife's account if I parse that second part to json an "unexpected character" error.

I've tried grabbing the string from the console and running it through an online base64 decoder and do see the json doesn't get evaluated correctly.

{"iss":"accounts.google.com","sub":"111475728886332985448","azp":"74770364428-621332j2r657ish4jh94n9n1k0mplpgd.apps.googleusercontent.com","email":"her.email@gmail.com","at_hash":"lSKFL86HsCeu7TU4tsYBTw","email_verified":true,"aud":"74300369428-621332j2r657ish4jh94n9n1k0mplpgd.apps.googleusercontent.com","iat":1414192526,"exp":191819642��

What could be different between the two accounts that would cause my email to return valid json and hers not to?

not sure if its an issue with your paste but there's a bunch of weird chars at the end of your JSON string there end char should be } not �� — Linda Lawton - DaImTo, Dec 10 '14 at 07:43

score 1 · Accepted Answer · edited Oct 07 '21 at 07:24

1

An id_token is a JSON Web Token (JWT), in this case using compact serialization. JWT elements are base64url encoded with no padding, which is slightly different from plain base64 encoding as can be seen from: https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature-38#appendix-C

A nice id_token/JWT decoder can be found here: http://jwt.io/

You may have been lucky for your own id_token so that it did not need padding.

edited Oct 07 '21 at 07:24

Community

1
1

answered Dec 10 '14 at 06:56

Hans Z.

50,496
12
102
115

so just to be sure: I suspect that you've used plain base64 decoding instead of the required base64url-with-no-padding decoding – Hans Z. Dec 10 '14 at 08:30
Thanks! I was reading google's doc on OpenID Connect (https://developers.google.com/accounts/docs/OpenIDConnect) and all I saw was "An ID token is a cryptographically signed JSON object encoded in base 64." Unless that's implied and I'm stupid I didn't realize it needed padding. Following the example you linked to did the trick. – voodoogiant Dec 10 '14 at 14:49

different payload from google oauth2 response causes json error

1 Answers1