Lesson2/step5/project.py - Why we need to verify access_token, user_id, CLIENT_ID after exchanging credentials?

[khanh96le]

From line 64 to line 90 in this file , I don't understand why it is necessary. I tried to comment this block (except line 77) and it still worked well. I followed Lorenzo's explanation very carefully but still didn't understand why.

As far as I know, after making step2_exchange, we got a Credential from Google. Inside this Credential, we got a access_token, and we can use this access_token to request user info. I means that is enough, Google had provided us Credential, and we had gotten everything we need. But the next lines of code was really hard to comprehend to me!

    # Check that the access token is valid.
    access_token = credentials.access_token
    url = ('https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=%s'
           % access_token)
    h = httplib2.Http()
    result = json.loads(h.request(url, 'GET')[1])
    # If there was an error in the access token info, abort.
    if result.get('error') is not None:
        response = make_response(json.dumps(result.get('error')), 500)
        response.headers['Content-Type'] = 'application/json'
        return response

    # Verify that the access token is used for the intended user.
    gplus_id = credentials.id_token['sub']
    if result['user_id'] != gplus_id:
        response = make_response(
            json.dumps("Token's user ID doesn't match given user ID."), 401)
        response.headers['Content-Type'] = 'application/json'
        return response

    # Verify that the access token is valid for this app.
    if result['issued_to'] != CLIENT_ID:
        response = make_response(
            json.dumps("Token's client ID does not match app's."), 401)
        print "Token's client ID does not match app's."
        response.headers['Content-Type'] = 'application/json'
        return response