Google oauth2 returns no id_token

Question

I seem to miss something with oauth2. I get the access_token but not id_token!

I use the following to gain a google access_token by passing a "code" granted to me from https://accounts.google.com/o/oauth2/auth

$oauth2token_url = "https://accounts.google.com/o/oauth2/token";
$clienttoken_post = array(
    "code" => $code,
    "client_id" => $client_id,
    "client_secret" => $client_secret,
    "redirect_uri" => $redirect_uri,
    "grant_type" => "authorization_code"
);

$curl = curl_init($oauth2token_url);

curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $clienttoken_post);
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_ANY);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);

$json_response = curl_exec($curl);
curl_close($curl);
var_dump($json_response);

Everything seems to work but according to Google's documentation https://developers.google.com/accounts/docs/OAuth2Login#exchangecode I should be getting access_token, id_token, expires_in, token_type which I do except for the id_token

var_dump($json_response); shows the following:

string(126) "{ "access_token" : "ya29.AHES6ZSGlHVW9qA23xs8bHBP578Ef8S5cntJIcPT_SHWA", "token_type" : "Bearer", "expires_in" : 3598 }

What am I missing here?

Answer 1

First, you need to add id_token for response_type. Then you need to check scopes. And don't forget that for implicit flow nonce param is required.

For more information and example you can check: http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest

Answer 2

At the token endpoint an id_token is issued only if certain scopes are present, the documentation should clarify that.

It is issued only if the email, profile or OpenID Connect scopes were used. An id_token does not make sense otherwise.