How can I get this Google Login ID Token from this Android app to verify server-side?

Question

I'm getting the ID Token in my Android app by initiating like this:

GoogleSignInOptions googleSignInOptions = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
                .requestIdToken(getString(R.string.server_client_id))
                .requestEmail()
                .build();

Where server_client_id is my SERVER's Oauth Client ID. Then later I request the token with googleAccount.getIdToken()

Then on my server (PHP), when I verify the token I verify it like this:

$client = new \Google_Client(['client_id' => getenv("GOOGLE_CLIENT_ID")]);
    try {
        $payload = $client->verifyIdToken($this->idToken);
    } catch (\Exception $e){
        throw new BadRequestHttpException($e->getMessage());
    }
    if($payload){
        $this->verifyPayload($payload);
    } else {
        throw new AccessDeniedHttpException("Invalid ID Token");
    }

Where GOOGLE_CLIENT_ID is my ANDROID's Oauth Client ID

I'm following this guide: https://developers.google.com/identity/sign-in/android/start-integrating.

On this page it says: https://developers.google.com/identity/sign-in/android/backend-auth

When you configure Google Sign-in, call the requestIdToken method and pass it your server's web client ID.

Hence why I'm using the server_client_id in my Android app. Is this correct?

// Specify the CLIENT_ID of the app that accesses the backend

And this is why I'm using the ANDROID client ID from my server.

Is this right? To be using each other's Oauth client_id's? Or should they both be using the Android CLIENT_ID?

Thanks in advance

Answer 1

OK I figured it out. Both the Android app and Webserver need to use the SERVER's key. Even though I created a client ID for the app using it's key SHA1 and everything.