Google's Identity Toolkit ID Token does NOT conform to the OpenID Connect Identity Token specification.
The REQUIRED sub parameter is missing!

Google's Identity Toolkit ID Token does NOT conform to the JSON Web Token Claims specification.
There user_id parameter is not a registered JSON Web Token Claim.

The user_id is the identifier of the user at the Identity Provider (IDP).

The user_id field in the Identity Toolkit ID Token is a global identifier, unique across all IDPs, for this user, in the context of your site or app. It is not shared with other sites or apps which use Identity Toolkit. In other words, Identity Toolkit does not provide a global identifier across different developers (relying parties).

When a user signs in successfully on a Identity Toolkit-enabled site, Identity Toolkit’s widgets set a cookie named “gtoken”. It is a JSON Web Token (JWT), a cryptographically-signed JSON object encoded in base 64. The Identity Toolkit JWT is very similar to an OpenID Connect ID token and we will refer to this as the Identity Toolkit ID Token.

Decoding the Identity Toolkit ID Token#

An ID Token is a JWT containing a set of name/value pairs. Here’s an example:

    "iss" : "https://identitytoolkit.google.com/",
    "user_id" : 829A8CD24E,
    "aud" : "622215261071.apps.googleusercontent.com",
    "provider_id" : "google.com",
    "iat" : 1408553860,
    "exp" : 1409763460,
    "email" : "jsmith@example.com",
    "verified": "true" 

The fields used by Identity Toolkit are:

issalwaysThe Issuer Identifier for the Issuer of the response. This will always be "https://identitytoolkit.google.com/".
user_idalwaysThe user’s local ID on your site. Identity Toolkit will generate new user_id numbers once you begin to use it for new user sign-ups.
audalwaysIdentifies the audience that this ID Token is intended for. It must be one of the OAuth 2.0 Client IDs of your application.
provider_idsometimesThe base URL of the identity provider.
iatalwaysAn integer giving the time the ID token was issued, in seconds since the beginning of 1970, UTC.
expalwaysAn integer giving the time the ID Token expires, in seconds since the beginning of 1970, UTC.
emailsometimesThe user’s email address. This may not be unique and is not suitable for use as a primary key.
verifiedsometimesTrue if the user's e-mail address has been verified; otherwise false. If the user goes through the Identity Toolkit email recovery flow and activates the URL, Identity Toolkit will mark this as verified.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-7) was last changed on 14-Feb-2016 20:57 by jim