Google Oauth2 verifyIdToken return invalid token signature with valid id_token

Question

I'm trying to work with the php client of google Oauth2 api to validate an id_token. The id_token is provided by a javascript app on which the user login his google account, and i'm givin this token to my php api server, in order to validate it and retrieve the right informations from my bdd.

The login in javascript is successfull and the access and id_token seems right, but when I try to verify it with Google_Client->verifyIdToken()

$client = new Google_Client();
$ticket = $client->verifyIdToken(myToken);

, it return an invalid token signature exception (fail when trying to use the google cert to valid the token).

My first assumption was to think the token is not valid, so to make sur it is, i submited it to google validation url https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=token

it return user info, so my token seems to be valid :

{
issuer: "accounts.google.com",
issued_to: "id",
audience: "id",
user_id: "id",
expires_in: 2149,
issued_at: 1397636222,
email: "mail",
verified_email: true
}

Tried everything i can think of, but can't solve this one. can someone help me ?

EDIT : I pass it only the id_token wich i get when i authenticate on my javascript app

access_token: "ya ... Es"
authuser: "1"
client_id: "81 ... .apps.googleusercontent.com"
code: "4/9... gI"
cookie_policy: "single_host_origin"
expires_at: "1397723048"
expires_in: "3600"
g-oauth-window: Window
g_user_cookie_policy: "single_host_origin"
hd: "dmic.fr"
id_token: "ey... d8E" <====================================
issued_at: "1397719448"
num_sessions: "2"
prompt: "none"
response_type: "code token id_token gsession"
scope: "https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/plus.me"
session_state: "9 ... 2162..936b"
state: ""
status: Object
token_type: "Bearer"

at some point i also tried to pass the whole access_token to $client->setAccessToken() and call $client->verifyIdToken() with no parameters (extract id_token from acess_token himself) with the same result.

All the code i use is already posted, i also tried to set apikey, client_id, client_secret, with no result

Answer 1

I had a similar problem, I've got an "Invalid token signature" error from oauth2client, but it worked with the tokeninfo API call.

In my case it was probably caused by the crypto lib used by oauth2client, as the problem disappeared when I replaced pycrypto 2.6 with pyopenssl 0.15.1. PyCrypto bug maybe?

EDIT: Yep, verified, it's a PyCrypto bug. It has been closed 20 hours ago :D

https://github.com/google/oauth2client/issues/201