Issue obtaining a valid JWT from Google Oauth2 Sign in

[REPTILEHAUS]

Im using your Google Auth adapter for web login. my call to google yields an access_token (rather than ID token), the token is not a standard JWT and looks like the following : ya29.a0AfH6SMDBFlJErplnG3niNU_qksL9yyOfbbYJO5DF7uDPGVpIx4ef6CEBfxZ00QBDdDeLtOQsPQqzz57tn7AUwHxhO0vT0Lg49spIsaWgVkE_lWmhC29Kgcl-DueDWFdS8f57w5KLFusqvLtwlLCkNfAZIeqgJN6Kg_2

It seems that Google have updated their Oauth2 APIs, I also see you have updated your Google auth provider however it doesnt accept this as a valid JWT, is there some other way to authenticate with Google and Parse now ?

https://developers.google.com/identity/protocols/oauth2

[mtrezza]

Thanks for reporting.

@SebC99 since you are familiar with #6734, do you have any suggestion why this fails?

[REPTILEHAUS]

From what I can see your auth adapter is using Oauth and expecting a id_token JWT. My app receives an OpenID access_token which is not a valid JWT

[REPTILEHAUS]

In your docs is mentions 2 flows for google, one using the id_token and one using access_token however your adapter only appears to handle the id_token flow https://github.com/parse-community/parse-server/blob/master/src/Adapters/Auth/google.js

[REPTILEHAUS]

The old code worked because it validated both id_tokens and access_tokens independently- access tokens are not JWTs so when the latest commit tries to validate them it doesn’t work, I believe the difference here is that id_token is provided by OAuth whereas access_token is from OpenID protocol

[REPTILEHAUS]

I will fork and use the old Google adapter as a workaround

[SebC99]

I have to admit I don’t understand why there’s sometimes id_token and sometimes access_token. The google documentation isn’t clear at all about this.
The link you provided is about client use, and there’s nothing about token verification in it.
We could add a method for access_token that just saves it in auth_data without any kind of verification.
Or I could use the old “development verification” of the old adapter for access_token.
If someone finds the right way to check access_token in production I would be happy to do it

[SebC99]

As far as I can see the response from google when exchanging an authorization code for a token contains both access token and id token:
https://developers.google.com/identity/protocols/oauth2/openid-connect#exchangecode
You don’t observe this @REPTILEHAUS ?

[REPTILEHAUS]

I use another 3rd party plugin for handling OAuth2 login https://github.com/moberwasserlechner/capacitor-oauth2, it all worked seamlessly up until a month ago and I see they have had an updated code base and you guys did too, however I havent fully reviewed their code yet to see if there was a breaking change, all I noticed was that passing the token to parse fails with invalid JWT as its the access_token now being returned rather than the id_token

[REPTILEHAUS]

I guess either way they maybe should be handled separately as the Parse docs specify that either id_token or access_token can be used as 2 different flows

 https://docs.parseplatform.org/parse-server/guide/#oauth-and-3rd-party-authentication 

{
  "google": {
    "id": "user's Google id (string)",
    "id_token": "an authorized Google id_token for the user (use when not using access_token)",
    "access_token": "an authorized Google access_token for the user (use when not using id_token)"
  }
}