I am having quite some troubles with Google social login in .net core 5 after following the official instructions:
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/google-logins?view=aspnetcore-5.0
Every seems to work, I am prompted with the google sign-in page, I enter my credentials and receive an access_token and also the other info requested (suche as name, email etc)
yourent://#access_token=<long_access_token_here>&expires=1619721892&email=testuser%40gmail.com&first_name=Cristian&last_name=Merli&user_id=<my_google_user_id_here>
The problem is that when I try to use that access token in other google APIs, many times they fails with an unauthorized error.
After researching, I found different endpoints to get the user info or verify the token, not sure which one is the newest version so i tried them all.
Examples:
var httpClient = new System.Net.Http.HttpClient();
var json1 = await httpClient.GetStringAsync($"https://www.googleapis.com/oauth2/v3/userinfo?access_token={request.Token}");
var json2 = await httpClient.GetStringAsync($"https://www.googleapis.com/oauth2/v3/tokeninfo?access_token={request.Token}");
var json3 = await httpClient.GetStringAsync($"https://oauth2.googleapis.com/tokeninfo?id_token={request.Token}");
and they all return this error:
{
"error": "invalid_request",
"error_description": "Invalid Credentials"
}
StatusCode: 401, ReasonPhrase: 'Unauthorized', Version: 1.1, Content: System.Net.Http.HttpConnectionResponseContent, Headers:
{
Date: Fri, 16 Apr 2021 15:29:55 GMT
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Pragma: no-cache
Vary: X-Origin
Vary: Referer
Vary: Origin
Vary: Accept-Encoding
Server: ESF
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Alt-Svc: h3-29=":443"; ma=2592000
Alt-Svc: h3-T051=":443"; ma=2592000
Alt-Svc: h3-Q050=":443"; ma=2592000
Alt-Svc: h3-Q046=":443"; ma=2592000
Alt-Svc: h3-Q043=":443"; ma=2592000
Alt-Svc: quic=":443"; ma=2592000
Accept-Ranges: none
Transfer-Encoding: chunked
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Content-Type: application/json; charset=utf-8
}, Trailing Headers:
{
}
Some other times instead I get the access token and everything works fine.
Am I doing something wrong? Why do I receive a brand new token (and my personal info attached) and as soon as I use it, it fails?