How do I validate an access token using the at_hash claim of an id token?

后端 未结 5 1560
遇见更好的自我
遇见更好的自我 2021-02-09 19:36

Say I have the following response from Google\'s OAuth2 /token endpoint after exchanging the code obtained from the /auth endpoint (using this example

5条回答
  •  慢半拍i
    慢半拍i (楼主)
    2021-02-09 20:19

    PHP solution:

    $accessToken = 'xxx';
    $idToken = 'yyy';
    $client = new Google_Client();
    
    $verification = $client->verifyIdToken($idToken);
    
    $hash = hash('sha256', $accessToken);
    $hash = substr($hash, 0, 32);
    $hash = hex2bin($hash);
    $hash = base64_encode($hash);
    $hash = rtrim($hash, '=');
    $hash = str_replace('/', '_', $hash);
    $hash = str_replace('+', '-', $hash);
    
    if ($hash === $verification['at_hash']) {
        // access token is valid
    }
    

    Google_Client available here: https://packagist.org/packages/google/apiclient

提交回复
热议问题