Verifying Google Sign-In tokens on the server side

I’m having trouble with Google Sign-In token verification on my server. Here’s what I’ve done so far:

My app gets the ID token like this:

let userSignIn = await loginManager.performSignIn()
let authInfo = await userSignIn.getAuthDetails()
let idToken = authInfo.getIdToken()

I send this token to my Node.js server. On the server, I’m trying to verify it:

const authConfig = require('./auth-config.json')
const { GoogleAuth } = require('google-auth-library')
const authClient = new GoogleAuth(authConfig.web.client_id)

// Later in the code...
try {
  const verifiedToken = await authClient.verifyIdToken({
    token: idToken,
    audience: authConfig.web.client_id
  })
  const tokenPayload = verifiedToken.getPayload()
} catch (error) {
  console.error('Token verification failed:', error.message)
}

But I keep getting a ‘Wrong recipient’ error. I’ve tried using different client IDs from my Google Cloud Console, but nothing works. What am I missing? How can I find the right client ID to verify these tokens?

hey there! i’m curious about your setup. have you double-checked that the client ID in your auth-config.json matches the one used in your app? also, are you using the same Google project for both frontend and backend? sometimes mixing different projects can cause issues. what kinda app are you building, btw? sounds interesting!

It appears you’re encountering a common issue with Google Sign-In token verification. One crucial aspect to consider is the audience field. For server-side verification, you should use the client ID of your backend, not the frontend. Check your Google Cloud Console for a separate web application client ID specifically for your server. Additionally, ensure your server’s time is accurately synchronized, as token validation is time-sensitive. If the problem persists, review your OAuth consent screen settings to confirm all necessary scopes are included. Lastly, double-check that you’re using the latest version of the google-auth-library package, as older versions may have compatibility issues with current Google authentication protocols.

yo sam, sounds frustrating! have u tried using the OAuth 2.0 client ID instead of the regular one? sometimes that works better for server-side stuff. also, make sure ur token isn’t expired - they only last an hour. good luck man, let us kno if u figure it out!