How can I verify a Google authentication API access token?

Question

How can I verify a Google authentication access token?

I need to somehow query Google and ask: Is [given access token] valid for the [exampl

Answer 1

Google oauth code flow response in addition to access_token also returns id_token that contains useful for validation info in encrypted form.

One thing that makes ID tokens useful is that fact that you can pass them around different components of your app. These components can use an ID token as a lightweight authentication mechanism authenticating the app and the user. But before you can use the information in the ID token or rely on it as an assertion that the user has authenticated, you must validate it.

Validation of an ID token requires several steps:

• Verify that the ID token is a JWT which is properly signed with an appropriate Google public key.
• Verify that the value of aud in the ID token is equal to your app’s client ID.
• Verify that the value of iss in the ID token is equal to accounts.google.com or https://accounts.google.com.
• Verify that the expiry time (exp) of the ID token has not passed.
• If you passed a hd parameter in the request, verify that the ID token has a hd claim that matches your Google Apps hosted domain.

https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken link has code samples for validation of ID tokens.

See also https://security.stackexchange.com/questions/37818/why-use-openid-connect-instead-of-plain-oauth.