2

How do I validate an OAuth2 token obtained on an Android device via the Google Identity Toolkit (GitkitClient) on 3rd-party backend (custom python backend, non-gae)?

I'm able to obtain a token on Android via the use of GitkitClient.

But how can my non-google-app-engine (Python) backend verify that this token is valid (from Google)?

Daniel F
  • 13,684
  • 11
  • 87
  • 116

1 Answers1

3

You could use the Google Identity Toolkit Python client library to verify that token: https://github.com/google/identity-toolkit-python-client.

p12_file = 'YOUR_SERVICE_ACCOUNT_PRIVATE_KEY_FILE.p12'
f = file(p12_file, 'rb')
key = f.read()
f.close()
gitkit_instance = gitkitclient.GitkitClient(
  client_id='YOUR_WEB_APPLICATION_CLIENT_ID_AT_GOOGLE_DEVELOPER_CONSOLE',
  service_account_email='YOUR_SERVICE_ACCOUNT_EMAIL@developer.gserviceaccount.com',
  service_account_key=key,
  widget_url='URL_ON_YOUR_SERVER_TO_HOST_GITKIT_WIDGET')

user = gitkit_instance.VerifyGitkitToken(request.COOKIES['gtoken'])
Jin Liu
  • 2,203
  • 15
  • 13
  • Thank you so much! I didn't realize that it was the same stuff which the javascript library stored in the cookies; this is beautiful. The odd thing is that I was trying to use Python's `oauth2client` to verify it, but I never managed to get it working ( `AppIdentityError: Invalid token signature` for hours ). Would you happen to know why that library doesn't work on the token? – Daniel F Aug 07 '15 at 03:27
  • You are welcome! The oauth2client is able to verify the Google OAuth2 IdToken. However Google Identity Toolkit uses its own private key, which is different from the Google Oauth2 token, to generate the token you obtained from GitkitClient. – Jin Liu Aug 07 '15 at 06:46