Test your Google Account Linking OAuth Implementation

The Google Account Linking OAuth validation test tool tests your OAuth implementation to verify Google is able to access the endpoints and that the endpoints are returning the responses expected for a valid Google Account Linking implementation.

Using the test tool

  1. If you haven't already signed into the tool, sign in with your Google Account using the Sign in button.
  2. Link your account using the Google Account Linking demo tool. You should link with the same account you are running the validation test tool with.

  3. Enter your Project ID and click the Run button. This should be the same as the Service ID you used to link your account in the previous step.

Tool Guide

Access token validation test

Access tokens returned from your token exchange endpoint are validated to ensure responses are in the right format and that a valid refresh token is returned.

Test Explanation
Validate access token is not in JWT format Google Account Linking does not support JWT for access tokens. If JWT is detected, the following warning is displayed: The access token seems to be a JWT which is not supported for token exchange endpoints.
Validate expirable access token has refresh token. A refresh token must be provided when the access token is expirable. This test will fail if no refresh token is found.

Refresh token validation test

Refresh tokens are tested to ensure your token exchange endpoint properly exchanges them for new access tokens.

Test Explanation
Validate invalid refresh token response. Your server should return an HTTP 400 Bad Request error with {"error": "invalid_grant"} to an invalid refresh token request. If the response does not match the error code or message, this test case will fail. Visit exchange refresh tokens for access tokens for more information.
Validate access token refresh. New access tokens should be returned in response to refresh token requests. If your server provides the same access token, the test case will fail.
Validate unexpired access token works.
Validate refresh token was not rotated during refresh. We check if refresh tokens are changed after a refresh token request. If the refresh token changes, your server should only invalidate an old refresh token after a new refresh token has been used, to prevent race conditions that may break a user's account linking. The test will fail if you invalidate the old refresh token before the new one is issued.