Cloud endpoints oauth2 error

Question

I just recently was able to refactor my app engine application to support Cloud Endpoints after watching the IMO helpful GDL episodes on YouTube.

I\'m testing my s

Answer 1

There are two types of tokens: ID tokens and standard Bearer tokens.

Bearer Token:

This is the standard token retrieved through the OAuth dance.

ID Token:

A typical ID token will look something like eyJhbGciOiJSUzI1NiIsImtpZCI6IjIxZWFlMTVkODE.eyJpc3MiOiJhY2NvdW50cy5n.oXLawgz_ed (except with segments that are much longer) and is a signed JWT.

An ID token can be obtained in JavaScript by adding 'id_token' to the response type, as is done in our Tic-Tac-Toe sample.

This way, the token returned from the OAuth request will also have an ID token:

var token = gapi.auth.getToken();
// Use id_token instead of bearer token
token.access_token = token.id_token;    

What You Are Seeing in the Logs:

The line

W 2013-03-14 08:52:14.748 id_token verification failed: Wrong number of segments in token: ya29.AHES6ZSpbeiTPTOJhCTtRdypgldcrRBQBKH8oQ8Y_FpxG5-Lr3OW6dE

is only a warning, meaning that the observed token ya29.AHE... is not an ID token and the next line in the log

I 2013-03-14 08:52:14.748 Checking for oauth token.

means that it is moving on to check if the token is a Bearer Token.

This DOES NOT mean your token was invalid, just that it was checking the Bearer Token.

The line

W 2013-03-14 08:52:14.885 Found 1 RPC request(s) without matching response (presumably due to timeouts or other errors)

likely means there was an RPC to verify the token that failed. The main pieces to verify a Bearer Token are a call to

oauth.get_current_user(EMAIL_SCOPE)

and a request to

https://www.googleapis.com/oauth2/v2/tokeninfo?access_token=ya29.AHE...

to verify the Client ID and Audience on the token.

ID Token In Depth:

The first segment is a base64url encoded description of the encryption used. For example.

>>> import base64, json
>>> segments = id_token.split('.')
>>> first_segment = segments[0] + '=' * ((4 - len(segments[0])) % 4)
>>> json.loads(base64.urlsafe_b64decode(first_segment))
{u'alg': u'RS256', u'kid': u'21eae15d817c1b4a8f6ff4501930512d07cbe684'}

the second segment is a base64url encoded decription of the token's contents:

>>> second_segment = segments[1] + '=' * ((4 - len(segments[0])) % 4)
>>> base64.urlsafe_b64decode(second_segment)
{u'at_hash': u'xxxyyyzzz',  # Fake Data
 u'aud': u'someclient_id.apps.googleusercontent.com',
 u'azp': u'someclient_id.apps.googleusercontent.com',
 u'cid': u'someclient_id.apps.googleusercontent.com',
 u'email': u'joe@mail.com',
 u'email_verified': u'true',
 u'exp': 1363289943,
 u'hd': u'google.com',
 u'iat': 1363286043,
 u'id': u'123456789',  # Fake Data
 u'iss': u'accounts.google.com',
 u'sub': u'123456789',  # Fake Data
 u'token_hash': u'xxxyyyzzz',  # Fake Data
 u'verified_email': u'true'}

and the third segment is a combination of the first two signed with Google's private key.