18

I have successfully received google sign-in token from my Android app on my web server written in Go running on GAE. I do not wish to use the 

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

because it has the issue about latency and potential network errors warned on google sign-in integration guiding page. So I am finding the way to use Google API Client Library for Go and I found this

https://github.com/google/google-api-go-client/blob/master/GettingStarted.md

I found that it was more complicated than the Java and Python Google API Client Library that I would need to just call the GoogleIdTokenVerifier method or verify_id_token function to get the information of the google user that has signed in on the Android app. I am not sure I am going to the right direction. Please guide me on how to verify the google sign-in token received from Android app.

Cœur
  • 37,241
  • 25
  • 195
  • 267
ともこ
  • 775
  • 1
  • 5
  • 21
  • Which Google API do you want to use? – Andreas Koch Apr 18 '16 at 10:54
  • I want to use Google sign in api. I just want to verify to token sent from Android app. User signs in from the app and the app sends a token to my backend server. – ともこ Apr 18 '16 at 12:00
  • You wrote: "I just want to verify to token sent from Android app". That sentence doesn't make too much sense. You want to do the auth in go server side or do you want to do it on Android? Please clarify. – John Difool Apr 25 '16 at 06:06
  • Users will log on to the system on their mobile running an android app by using Google Sign-in. Then the android app will send the token to an web application written in Go. The web app will verify the token and check for the existing Google user ID in Google App Engine Datastore. The users can retrieve their private data from the web app to the android app only if the token is verified as valid on the web application side . – ともこ Apr 25 '16 at 07:09
  • 1
    The "issue about latency and potential network errors warned on google sign-in integration guiding page" is fairly silly. What the docs are pointing out is the obvious point that an additional API request is actually an additional network request that takes time. There's no reason not to use the original API endpoint. Just consider the additional API request as part of the time taken to actually authorize the user's google account. – photoionized Apr 26 '16 at 19:24
  • @photoionized I believe you can post your comment as an answer - I would upvote it. – Alexander Trakhimenok Apr 29 '16 at 12:11
  • Answered here: https://stackoverflow.com/a/62984078/2678741 – Guy Jul 19 '20 at 18:26

1 Answers1

15

I too recently faced this issue and found two solutions.

But before that you need to understand what python(or other recommended client libraries)'s library does.

  1. It hit https://www.googleapis.com/oauth2/v2/certs to get array of rsa public keys.
  2. Decode token.
  3. Uses "kid" (key id) field from decoded token to generate pem key for matching RSA public key.
  4. Verify the signature of token (which is after 2nd dot in a jwt token) using pem key.

Now two solutions:

  1. Using official oauth library "google.golang.org/api/oauth2/v2"

    func getTokenInfo(idToken string) (*oauth2.Tokeninfo, error) {
oauth2Service, err := oauth2.New(&http.Client{})
if err != nil {
    return nil, err
}
tokenInfoCall := oauth2Service.Tokeninfo()
tokenInfoCall.IdToken(idToken)
return tokenInfoCall.Do()
}

    From Tokeninfo you can verify that audience (tokenInfo.Audience) and issued to(tokenInfo.IssuedTo) are valid. And other parameters that you want to check. But golang's official library doesn't follow the process that I mentioned earlier. It hits the www.googleapis.com/oauth2/v2/tokeninfo for generating tokeninfo (not www.googleapis.com/oauth2/v3/tokeninfo. v2 doesn't give some field like "name" but every field including email that you need to verify the token.).

  2. Using GoogleIdTokenVerifier library which is a port of python's library.

What you can do to improve efficiency of process is to cache the certs and pem. Unless a token with new "kid" comes, don't hit the url.

Do benchmark and check which approach is faster. That thing about latency can be wrong as you are using network to get certs.

khrm
  • 5,363
  • 1
  • 22
  • 26