Google authDataManager is not validating access_tokens correctly

[cipiripper]

Issue Description

Google authDataManager is not validating access_tokens correctly. It validates them on correct endpoint, but with wrong url param, id_token instead of access_token. See this in code here.

So you are never able to validate a token, even if it is a valid one.

How it should be done

Here is the link on google docs that says that token to be validated should be passed on access_token URL parameter.

I'll create a pull request for this issue.

[flovilmart]

It seems that we'd need both, with id_token and access_token. Can you take that into account?

[cipiripper]

Sure. But are you sure about id_token being used? Is that used for some different kind of tokens?

[flovilmart]

Yes I'm pretty sure about that: #2023 (see the docs and notes)

[cipiripper]

I see, "id_tokens" is used for Android clients... Okay.

[flovilmart]

Yeah, that's painful this doc... Now I'm worried that people send their 'id_token' as 'access_token' and that it may lead to a breaking change...

[cipiripper]

@flovilmart One relatively off topic question (so I do not post new issue). Shouldn't user._linkWith() generate a sessionToken when passed a valid authData? I mean, work the same as user.login().

I'm calling this in cloud code, and I am trying to allow users to login using username:password or their google account...

[flovilmart]

If you are already logged in, you should have a session token already, and we regenerate the tokens only when re-setting the passwords.

[hslorenzo]

This line: return request("tokeninfo?id_token="+authData.access_token)causes "code: 101, message: Google auth is invalid for this user." error.

Trying this https://www.googleapis.com/oauth2/v3/tokeninfo?id_token="123XYZ" on a browser gives "error_description": "Invalid Value"

This should be changed to return request("tokeninfo?access_token="+authData.access_token) which gives the right response from the Google Authorization Server.

[flovilmart]

Both are valid, depending where your token is coming from 6415a35

[flovilmart]

@hslorenzo @cipiripper I've submitted a PR, if you wanna use id_token validation, you can use the id_token property instead of the access_token. If access_token validation fails, it will try the id_token validation for backwards compatibility.