A lightweight library written in PHP that validates and verifies google sign token
After got the OAUTH2 token from your client such as Android, IOS, token has to be sent to backend and be verified.
To verify it, two steps have to be done:
-
Verify the sign. It basically verifies the token's sign with Google's public keys. If it passes, it means token generated by Google. The point is Google's public key changes in time. That's why it has to be fetched from Google, cached then updated regulerly.
-
Validate the data. Although the token generated by Google, it could be created for another Google service or developer. To check it, match Issuer and Audience with yours. Also be sure that expiration time is not passed.
This library does both steps.
After the verifying steps, claims can be used.
You need Lcobucci. With composer:
composer require lcobucci/jwt- Change audience value with yours. (From google project console)
private $audience = '<Your audience key>';- You are ready to go.
$verifier = new GoogleTokenVerifier($token);
if($verifier->verifyToken()) {
$userID = $verifier->getClaim()['sub'];
}This library much more smaller than Google Client, if you dont need other than token verifier.
If you are checking token from Google's endpoint every time, save you from suffering latency.