Playing With Google OIDC
Fleetinggoogle api endpoint /auth [[id:c9fbfeed-e3fa-4a74-bdd7-65365e4be131][OAuth 2.0]]
- added openid in the scope of my app
- added http://localhost in the valid redirect uris
Creating my app, I get a client_id.
$BROWSER "https://accounts.google.com/o/oauth2/v2/auth?scope=openid&response_type=token&redirect_uri=http://localhost&client_id=${client_id}"
After the flow ended, I can see my access token in the redirection -> 
To validate the received access token, because it is not self-encoded, you need to check with google.
http "https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=${access_token}"
{
"issued_to": "<myapp>",
"audience": "<myapp>",
"user_id": "<mygoogleid>",
"scope": "openid",
"expires_in": 2520,
"access_type": "online"
}
And I can get some information using the userinfo endpoint.
curl -fsSL "https://www.googleapis.com/oauth2/v1/userinfo?alt=json" --header "Authorization: Bearer ${access_token}"
{
"id": "<mygoogleid>",
"picture": "https://lh3.googleusercontent.com/a-/ALV-UjW7wFuu0ILjZ-pRIAV1fUXFZ8EdGosICWo26wN62V6iH7RPnw=s96-c"
}
Getting an ID Token
I need to precise the response_type=id_token, as per response_type.
$BROWSER "https://accounts.google.com/o/oauth2/v2/auth?scope=openid&response_type=id_token&redirect_uri=http://localhost&client_id=${client_id}&nonce=n-0S6_WzA2Mj"
Let’s analyse the received id_token, checking it against google jwks_uri along the way.
JWKS_URI="https://www.googleapis.com/oauth2/v3/certs"
jwt decode --ignore-exp --secret "$(curl "${JWKS_URI}")" "${idtoken}"|sed "s/${client_id}/<myclientid>/"
Token header
------------
{
"typ": "JWT",
"alg": "RS256",
"kid": "3628258601113e6576a45337365fe8b8973d1671"
}
Token claims
------------
{
"aud": "<myclientid>",
"azp": "<myclientid>",
"exp": 1732880030,
"iat": 1732876430,
"iss": "https://accounts.google.com",
"jti": "808c957930c24a2b2320475c7642c50e45bd9c31",
"nbf": 1732876130,
"nonce": "n-0S6_WzA2Mj",
"sub": "101072090510820935439"
}
Great!