We're struggling with an issue during the token verification. We have the following exception:

java.security.SignatureException: Invalid audience: xxx-platform. Should be: 787384428332-32charsofidxxxxxxxx.apps.googleusercontent.com
    at com.google.identitytoolkit.JsonTokenHelper$AudienceChecker.check(JsonTokenHelper.java:67)
    at net.oauth.jsontoken.JsonTokenParser.verify(JsonTokenParser.java:156)
    at net.oauth.jsontoken.JsonTokenParser.verify(JsonTokenParser.java:103)
    at net.oauth.jsontoken.JsonTokenParser.verifyAndDeserialize(JsonTokenParser.java:116)
    at com.google.identitytoolkit.JsonTokenHelper.verifyAndDeserialize(JsonTokenHelper.java:46)
    at com.google.identitytoolkit.GitkitClient.validateToken(GitkitClient.java:126)
    at com.google.identitytoolkit.GitkitClient.validateTokenInRequest(GitkitClient.java:154)
    at com.some.package.user.GitKitUserService.getGitkitUserFromRequest(GitKitUserService.groovy:25)

We have checked many times the gitkit-server-config.json file, he seems to correct and points to a valid .p12 file. The p12 is correctly found and opened (since we have a FileNotFoundException when we remove it, or parsing error when we alter it...) but the validation fails because of a null verifier... Here it is:

    {
    "clientId": "707385568332-32charsofidxxxxxxxx.apps.googleusercontent.com",
    "projectId": "xxx-platform",
    "serviceAccountEmail": "xxx@xxx-platform.iam.gserviceaccount.com",
    "serviceAccountPrivateKeyFile": "/an/existing/path/xxx-platform-44d0379d237c.p12",
    "widgetUrl": "https://example.com/authentication/authenticate",
    "cookieName": "gtoken"
    }

Of course we can provide any additional information that might be required, we're really stuck with this issue!

Thank in advance for any clue!

I'll just share my experience from setting up earlier today incase it can help you:

                        String token = cookie.getValue();

                        try {
                            GitkitClient gitkitClient = GitkitClient.newBuilder()
                                    .setGoogleClientId("206268081687-u5mg1cl3teeeo635vrsuj8uotdi7meqq.apps.googleusercontent.com")
                                    //.setGoogleClientId("effortless-edge-119904")
                                    .setServiceAccountEmail("tables@effortless-edge-119904.iam.gserviceaccount.com")
                                    .setCookieName("gtoken")
                                    .setWidgetUrl("http://localhost:8080/gitkit")
                                    .setKeyStream(new ClassPathResource("tables-8271416a8e0c.p12").getInputStream()).build();

                            GitkitUser gitkitUser = gitkitClient.validateToken(token);

Gives me

java.security.SignatureException: Gitkit token audience(effortless-edge-119904) 
doesn't match projectId or clientId in server configuration

This works:

                        try {
                            GitkitClient gitkitClient = GitkitClient.newBuilder()
                                    .setGoogleClientId("effortless-edge-119904")
                                    .setServiceAccountEmail("tables@effortless-edge-119904.iam.gserviceaccount.com")
                                    .setCookieName("gtoken")
                                    .setWidgetUrl("http://localhost:8080/gitkit")
                                    .setKeyStream(new ClassPathResource("tables-8271416a8e0c.p12").getInputStream()).build();

                            GitkitUser gitkitUser = gitkitClient.validateToken(token);
                                                    logger.info("Validated gitkit token");

I think DFB's answer is correct.

But we don't recommend hard-coded json config in Java code. There's a static method called createFromJson you can use to read json file and then initialize GitkitClient.

We'll also need to update the README in identity-toolkit-java-client. Thanks for your question.

I was getting the same error and stumbled upon this thread. I was using gitclient-1.2.3.jar. I updated it to gitkitclient-1.2.5.jar (latest) and the problem went away.

UPDATE: I'm adding the code snippet below. I'm setting both setGoogleClientId and setProjectId as shown in the sample https://github.com/google/identity-toolkit-java-client/blob/master/src/main/java/com/google/identitytoolkit/GitkitClient.java

GitkitClient gitkitClient = new GitkitClient.Builder()  
    .setGoogleClientId("654028407702-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com")  
    .setProjectId("my-project")  
    .setServiceAccountEmail("my-project@my-project.iam.gserviceaccount.com")  
    .setKeyStream(context.getResourceAsStream("/WEB-INF/identity/my-project-xxxxxxxxxxxx.p12"))  
    .setWidgetUrl("https://my-project.appspot.com/oauth2callback")  
    .setCookieName("gToken")  
    .setServerApiKey("AIzaSyAxQ7z5Dxxxxxxxxxxxxxx-xxxxxxxx")  
    .build();

I had a look at the gitkitclient.js source code and both projectId and clientId are added to the same audiences array.

After more tests I found out that you must only put the project ID ('my-project-name') in the gitkit-server-config.json file. The nasty thing is that if you add it with a 'clientId' property name it is also working...

As far as I can see, the client ID (like 654028407702-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com) can be removed.