Google authDataManager is not validating access_tokens correctly #2290
Comments
|
It seems that we'd need both, with id_token and access_token. Can you take that into account? |
|
Sure. But are you sure about id_token being used? Is that used for some different kind of tokens? |
|
Yes I'm pretty sure about that: #2023 (see the docs and notes) |
|
I see, "id_tokens" is used for Android clients... Okay. |
|
Yeah, that's painful this doc... Now I'm worried that people send their 'id_token' as 'access_token' and that it may lead to a breaking change... |
|
@flovilmart One relatively off topic question (so I do not post new issue). Shouldn't I'm calling this in cloud code, and I am trying to allow users to login using username:password or their google account... |
|
If you are already logged in, you should have a session token already, and we regenerate the tokens only when re-setting the passwords. |
|
This line: Trying this This should be changed to |
|
Both are valid, depending where your token is coming from 6415a35 |
|
@hslorenzo @cipiripper I've submitted a PR, if you wanna use id_token validation, you can use the id_token property instead of the access_token. If access_token validation fails, it will try the id_token validation for backwards compatibility. |
|
Man, this google API is maddening... |
Issue Description
Google authDataManager is not validating access_tokens correctly. It validates them on correct endpoint, but with wrong url param, id_token instead of access_token. See this in code here.
So you are never able to validate a token, even if it is a valid one.
How it should be done
Here is the link on google docs that says that token to be validated should be passed on access_token URL parameter.
I'll create a pull request for this issue.
The text was updated successfully, but these errors were encountered: