How can I verify a Google authentication API access token?
Asked 07 September, 2021
Viewed 1.7K times
  • 53
Votes

How can I verify a Google authentication access token?

I need to somehow query Google and ask: Is [given access token] valid for the [[email protected]] Google account?

Short version:
It's clear how an access token supplied through the Google Authentication Api :: OAuth Authentication for Web Applications can be used to then request data from a range of Google services. It is not clear how to check if a given access token is valid for a given Google account. I'd like to know how.

Long version:
I'm developing an API that uses token-based authentication. A token will be returned upon provision of a valid username+password or upon provision of a third-party token from any one of N verifiable services.

One of the third-party services will be Google, allowing a user to authenticate against my service using their Google account. This will later be extended to include Yahoo accounts, trusted OpenID providers and so on.

Schematic example of Google-based access:

alt text http://webignition.net/images/figures/auth_figure002.png

The 'API' entity is under my full control. The 'public interface' entity is any web- or desktop-based app. Some public interfaces are under my control, others will not be and others still I may never even know about.

Therefore I cannot trust the token supplied to the API in step 3. This will be supplied along with the corresponding Google account email address.

I need to somehow query Google and ask: Is this access token valid for [email protected]?

In this case, [email protected] is the Google account unique identifier - the email address someone uses to log in to their Google account. This cannot be assumed to be a Gmail address - someone can have a Google account without having a Gmail account.

The Google documentation clearly states how, with an access token, data can be retrieved from a number of Google services. Nothing seems to state how you can check if a given access token is valid in the first place.

Update The token is valid for N Google services. I can't try a token against a Google service as means of verifying it as I won't know which subset of all Google's services a given user actually uses.

Furthermore, I'll never be using the Google authentication access token to access any Google services, merely as a means of verifying a supposed Google user actually is who they say they are. If there is another way of doing this I'm happy to try.

11 Answer