Validating Google sign in ID token in Go

I am finding the way to validate ID token for Google sign-in for Android with a Go backend server project.

What is the equivalent function for validating ID tokens by using a Google API Client Library in Go?

From this page on Using a Google API Client Library section

https://developers.google.com/identity/sign-in/android/backend-auth#using-a-google-api-client-library

There are Java and Python examples and there are links for verify ID tokens with the Google API Client Library for PHP, Node.js, and other languages. I checked for my target language; Go here

https://github.com/google/google-api-go-client/blob/master/GettingStarted.md

However, I found not equivalent function for validating token like in Java and Python example. Is there any function in Go for doing such thing?

I don't want to use token info endpoint

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

since it introduces possible latency and network error. I wish to use Google API Client Library. Please guide me where should I look into.

This is how I've done it using https://github.com/google/google-api-go-client library:

import (
    "google.golang.org/api/oauth2/v2"
    "net/http"
)

var httpClient = &http.Client{}

func verifyIdToken(idToken string) (*oauth2.Tokeninfo, error) {
    oauth2Service, err := oauth2.New(httpClient)
    tokenInfoCall := oauth2Service.Tokeninfo()
    tokenInfoCall.IdToken(idToken)
    tokenInfo, err := tokenInfoCall.Do()
    if err != nil {
        return nil, err
    }
    return tokenInfo, nil
}

oauth2.Tokeninfo object has info about the user. Note that this makes a call to https://www.googleapis.com/oauth2/v2/tokeninfo and I think that all Google API Client Libraries make this http call under the hood.

Google's idToken is actually in JWT format, which is compact and self-contained JSON with signature.

See also: https://jwt.io/introduction/

google-auth-library-nodejs's OAuth2Client.prototype.verifyIdToken verify the idtoken using Google's public key and extract ClaimSet from the idtoken without calling the tokeninfo endpoint.

I just ported the verifyIdToken function from google-auth-library-nodejs, and created a library for this: https://github.com/futurenda/google-auth-id-token-verifier.

Usage:

import (
     "github.com/futurenda/google-auth-id-token-verifier"
)

v := googleAuthIDTokenVerifier.Verifier{}
aud := "xxxxxx-yyyyyyy.apps.googleusercontent.com"
err := v.VerifyIDToken(TOKEN, []string{
    aud,
})
if err == nil {
    claimSet, err := googleAuthIDTokenVerifier.Decode(TOKEN)
    // claimSet.Iss,claimSet.Email ... (See claimset.go)
}

来源：https://stackoverflow.com/questions/36716117/validating-google-sign-in-id-token-in-go

标签

android

google-app-engine

oauth

google-client