Lesson2/step5/project.py - Why we need to verify access_token, user_id, CLIENT_ID after exchanging credentials? #65
Description
From line 64 to line 90 in this file , I don't understand why it is necessary. I tried to comment this block (except line 77) and it still worked well. I followed Lorenzo's explanation very carefully but still didn't understand why.
As far as I know, after making step2_exchange, we got a Credential from Google. Inside this Credential, we got a access_token, and we can use this access_token to request user info. I means that is enough, Google had provided us Credential, and we had gotten everything we need. But the next lines of code was really hard to comprehend to me!
# Check that the access token is valid.
access_token = credentials.access_token
url = ('https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=%s'
% access_token)
h = httplib2.Http()
result = json.loads(h.request(url, 'GET')[1])
# If there was an error in the access token info, abort.
if result.get('error') is not None:
response = make_response(json.dumps(result.get('error')), 500)
response.headers['Content-Type'] = 'application/json'
return response
# Verify that the access token is used for the intended user.
gplus_id = credentials.id_token['sub']
if result['user_id'] != gplus_id:
response = make_response(
json.dumps("Token's user ID doesn't match given user ID."), 401)
response.headers['Content-Type'] = 'application/json'
return response
# Verify that the access token is valid for this app.
if result['issued_to'] != CLIENT_ID:
response = make_response(
json.dumps("Token's client ID does not match app's."), 401)
print "Token's client ID does not match app's."
response.headers['Content-Type'] = 'application/json'
return response