How to validate Google identity server side

Question

I have an app that is using pure client side Google API for authentication and possibly listing contacts in circles. However I am associating certain data submitted to the server with identities. What exactly should I be doing to validate that the identity submitted to my server (I have a REST api) is in fact an authenticated identity and not forged? Is there a good way to do this without making API calls from the server side?

I'm not terribly concerned about security in this application, but I'd like to avoid doing anything extremely stupid.

Answer 1

You can pass on the ID token you got from Google to the server side. It is a JSON Web Token that you can verify locally. You would especially take care of checking the audience claim to see that it was really issued to your client, in addition to normal JWT iss/exp/iat and signature validation.

Edit by questioner: After reviewing linked articles, I have arrived at the following code for retrieving the key to use with JWT.php:

<?php
$refresh = false;
if (file_exists('oauthkey')) {
   $age = time() - filemtime('oauthkey');
   if ($age > 20000)
      $refresh = true;   
} else
   $refresh = true;

if ($refresh) {
   $oauthKey = file_get_contents('https://www.googleapis.com/oauth2/v1/certs')
      or die('Failed to retrieve google public key.');
   $keyFile = fopen('oauthkey', 'w') or die ('Failed to open public key file for writing.');
   fwrite($keyFile, $oauthKey);
   fclose($keyFile);
} else {
   $keyFile = fopen('oauthkey', 'r') or die ('Failed to open public key file for reading.');
   $oauthKey = fread($keyFile, 5000) or die ('Failed to read from public key file.');
   fclose($keyFile);   
}
$oauthKey = json_decode($oauthKey, true);
?>