3

I'm trying to use Google's APIs to modify data on my users' Google account through the use of an id_token for authentication and an access_token to actually use Google's APIs. I know I'm able to verify the authenticity of an id token like such:

import { OAuth2Client } from "google-auth-library";

const client = new OAuth2Client(GOOGLE_CLIENT_ID);
const ticket = await client.verifyIdToken({
    token: idToken,
    audience: GOOGLE_CLIENT_ID,
});

This verification happens locally on my device without needing to contact Google's servers each time a token needs to be verified.

I tried to figure out how to do the same for the access_token. The top answer on How can I verify a Google authentication API access token? post suggests that I should call an endpoint https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=accessToken to do the verification but that defeats my purpose of trying to do it locally.

What Google OAuth library/method can I use to verify an access token locally. Is it even possible?

Just to reiterate, I'm talking about the access_token, not the id_token.

Abir Taheer
  • 2,502
  • 3
  • 12
  • 34
  • are you sure the client library doesn't already do this validation why do you want to do it again. Why not just make the call if it fails then deal with the failure. Your adding extra load on the auth server for really no reason. – Linda Lawton - DaImTo Feb 10 '21 at 08:14
  • @DaImTo I figured out how to validate it using the `at_hash` from the `id_token` but since the payload from the `id_token` doesn't contain the scopes that the user granted I decided to just make the http call. My original reason for not doing it was because I didn't want to add unnecessary network latency if not necessary because network latency is probs longer than the amount of time needed to verify locally. – Abir Taheer Feb 10 '21 at 08:35

0 Answers0