google-auth-library-java icon indicating copy to clipboard operation
google-auth-library-java copied to clipboard
verified publisher icon googleapis

UserAuthorizer is discarding the id_token after successful authorization code exchange

Open dgrinbergs opened this issue 4 years ago • 1 comments

I'm trying to get data from the id_token which is returned when exchanging an authorization code with the token endpoint.

I have everything I need to make the request to the endpoint manually. However, this is very verbose and feels like re-inventing the wheel. It got me thinking that there must be a way to get this data using the classes provided by the library.

Currently I am using the com.google.auth.oauth2.UserAuthorizer class to build up a request for the exchange of information.

val userCredentials: UserCredentials = UserAuthorizer.newBuilder()
  .setClientId(googleOauthConfig.clientId)
  .setTokenStore(tokenStore)
  .setScopes(googleOauthConfig.scopes)
  .setTokenServerUri(URI.create("https://oauth2.googleapis.com/token"))
  .setCallbackUri(redirectUri)
  .build()
  .getCredentialsFromCode(authorizationCode, redirectUri)

The internals of getCredentialsFromCode() parses the response and it contains all the tokens. Including the id_token but, it gets discarded when constructing the UserCredentials object further down.

Debug mode showing that the value for id_token is stored

return UserCredentials.newBuilder()
  .setClientId(clientId.getClientId())
  .setClientSecret(clientId.getClientSecret())
  .setRefreshToken(refreshToken)
  .setAccessToken(accessToken)
  .setHttpTransportFactory(transportFactory)
  .setTokenServerUri(tokenServerUri)
  .build(); // no mention of id_token

Regardless, I want to get this value so I can know basic information about the user such as their name, birthday and email address from a single request.

There does exist a method called idTokenWithAudience() which returns a Google ID Token from the refresh token response. If I call this, I get a token back that doesn't contain all the data that was available in the identically named id_token mentioned earlier making it a no-go either.

dgrinbergs avatar Jan 06 '22 20:01 dgrinbergs

Wouldn't be as much of a problem if UserAuthorizer had a public constructor so I could just override getCredentialsFromCode

After refreshing id_token, user profile stuff is missing, according to https://github.com/googleapis/google-api-dotnet-client/issues/1141#issuecomment-360239385 this info must be cached. How am I supposed to cache it if the library discards of the value?

awesomekosm avatar Sep 19 '22 01:09 awesomekosm