Warning: This data is provided under the Google User Data Policy. Please review and comply with the policy. Failure to do so may result in project suspension or account suspension.

Verify the Google ID token on your server side

After an ID token is returned from Google, it's submitted by an HTTP POST method request to your login endpoint with the parameter name credential.

The following is an example in the Python language to show the usual steps to validate and consume the ID Token:

  1. Verify the Cross-Site Request Forgery (CSRF) token. When you submit credentials to your login endpoint, we use the double-submit-cookie pattern to prevent CSRF attacks. Before each submission, we generate a token and then the token is put into both the cookie and the post body. See the following code example:

    csrf_token_cookie = self.request.cookies.get('g_csrf_token')
    if not csrf_token_cookie:
        webapp2.abort(400, 'No CSRF token in Cookie.')
    csrf_token_body = self.request.get('g_csrf_token')
    if not csrf_token_body:
        webapp2.abort(400, 'No CSRF token in post body.')
    if csrf_token_cookie != csrf_token_body:
        webapp2.abort(400, 'Failed to verify double submit cookie.')
    
  2. Verify the ID token. Refer to Verify the integrity of the ID token for details.

  3. Based on the correlated account status for the email address in the ID token, you can redirect the user to different flows.

    • An unregistered email address: You can show a sign-up user interface (UI) to allow the user to provide additional profile information, if required, or silently create the new account and create a logged-in user session.

    • A legacy account that exists for the email address: Show a web page to allow the end user to input their password and link that legacy account with their Google credentials. This confirms that the user has access to the existing account.

    • A returning federated user: You can silently sign the user in.