Pull out token info

[edahlseng]

The id_token has a lot of info that could be passed into the verify function. This package does a great job of pulling out the available info:

https://www.npmjs.com/package/google-id-token-verifier

[guillaumelachaud]

Is there any way to get the id_token passed into the verify function? From what I read at https://github.com/jaredhanson/passport-google-oauth/issues/108 and https://github.com/jaredhanson/passport-google-oauth/issues/6#issuecomment-11054352, it used to be possible to do so in passport-google-oauth. Motivation behind this is to verify the token with Google's endpoint https://developers.google.com/identity/sign-in/web/backend-auth

[mxkxf]

~@GuillaumeLachaud did you find a way around this? Like you say it doesn't look like it's possible any more 😕~

Edit: I have discovered that there is a params that can be exposed if you provide 6 arguments to the callback:

const strategy = new Strategy({
  {
    // ...
  },
  (req, accessToken, refreshToken, params, profile, done) => {
    // params should contain `access_token`, `id_token`, `scope`, `expires_in`, `token_type`
  }
});

[elyobo]

@mikefrancis is that documented anywhere?

Edit: I can see that it is still the case, but that it depends on the passReqToCallback flag as well, it's 6 arguments if that's true, and 5 if it's false (see passport-oauth2 code).

@jaredhanson perhaps this should be documented? It's great that we can get this data (I also need the id token, in fact, it's the only thing I need) but the implementation being undocumented makes it a bit sketchy to use, and relying on the arity of the callback, with variations depending on the passReqToCallback, feels fragile.