Say I have the following response from Google\'s OAuth2 /token
endpoint after exchanging the code obtained from the /auth
endpoint (using this example
PHP solution:
$accessToken = 'xxx';
$idToken = 'yyy';
$client = new Google_Client();
$verification = $client->verifyIdToken($idToken);
$hash = hash('sha256', $accessToken);
$hash = substr($hash, 0, 32);
$hash = hex2bin($hash);
$hash = base64_encode($hash);
$hash = rtrim($hash, '=');
$hash = str_replace('/', '_', $hash);
$hash = str_replace('+', '-', $hash);
if ($hash === $verification['at_hash']) {
// access token is valid
}
Google_Client
available here: https://packagist.org/packages/google/apiclient