Confusion about id_token field in callback POST body

[ohmree]

This is the relevant line:

passport-google-verify-token/src/strategy.ts

Line 114 in 575f909

this.paramFromRequest(req, 'id_token') ||

Google actually responds with the ID token in the body's credential field and replacing id_token with credential in the above line makes my auth flow work, otherwise I get an error about a missing ID token.

Is this a bug in the library or in my code?

Admittedly I am using nestjs with its jwt and passport modules which adds a bunch of moving parts to the equation compared to using plain express and passport but I think I might be onto something here.

Here's the HTML I'm using to test this out:

<!doctype html>
<html class="no-js" lang="">
    <head>
        <meta charset="utf-8">
        <title>Untitled</title>
        <meta name="description" content="">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <script src="https://accounts.google.com/gsi/client" async defer></script>
    </head>
    <body>
        <div id="g_id_onload"
             data-client_id="<client id>"
             data-context="use"
             data-ux_mode="popup"
             data-login_uri="http://localhost:3000/auth/callback/google"
             data-nonce=""
             data-auto_prompt="false">
        </div>

        <div class="g_id_signin"
             data-type="standard"
             data-shape="rectangular"
             data-theme="outline"
             data-text="signin_with"
             data-size="large"
             data-logo_alignment="left">
        </div>
    </body>
</html>

Sorry for not being able to share my backend code but I'm pretty sure it doesn't matter here - regardless of how the backend is setup the above HTML will result in google responding with a credential field, not id_token.

[abouroubi]

Hello,

Even if google responds with the credentials, you need to rename it to id_token, before sending it to the backend for validation.