googleIDVerifier

README

google-id-verifier

Golang port of OAuth2Client.prototype.verifyIdToken from google-auth-library-nodejs

Verifies Google-issued ID tokens without making http request to the tokeninfo API.

Usage

import (
    "github.com/serjlee/google-id-verifier"
)

v := googleIDVerifier.CertsVerifier{}
aud := "xxxxxx-yyyyyyy.apps.googleusercontent.com"
err := v.VerifyIDToken(TOKEN, []string{
    aud,
})
if err == nil {
    claimSet, err := googleIDVerifier.Decode(TOKEN)
    // claimSet.Iss,claimSet.Email ... (See claimset.go)
}

Features

• Fetch public key from www.googleapis.com/oauth2/v3/certs
• Respect cache-control in response from www.googleapis.com/oauth2/v3/certs
• JWT Parser
• Check Signature
• Check IssueTime, ExpirationTime with ClockSkew
• Check Issuer
• Check Audience

Deps

• golang.org/x/oauth2/jws

See also

• http://stackoverflow.com/questions/36716117/validating-google-sign-in-id-token-in-go#
• https://github.com/GoogleIdTokenVerifier/GoogleIdTokenVerifier

Documentation

Index

• Variables
• func VerifySignedJWTWithCerts(token string, certs *Certs, allowedAuds []string, issuers []string, ...) error
• type Certs
• type CertsVerifier
  • func (v *CertsVerifier) VerifyIDToken(idToken string, audience ...string) error
• type ClaimSet
  • func Decode(token string) (*ClaimSet, error)
• type TokenVerifier

Variables

var (
	ErrInvalidToken = errors.New("Invalid token")

	ErrPublicKeyNotFound = errors.New("No public key found for given kid")

	ErrWrongSignature = errors.New("Wrong token signature")

	ErrNoIssueTimeInToken = errors.New("No issue time in token")

	ErrNoExpirationTimeInToken = errors.New("No expiration time in token")

	ErrExpirationTimeTooFarInFuture = errors.New("Expiration time too far in future")

	ErrTokenUsedTooEarly = errors.New("Token used too early")

	ErrTokenUsedTooLate = errors.New("Token used too late")
)

var (
	// MaxTokenLifetime is one day
	MaxTokenLifetime = time.Second * 86400

	// ClockSkew - five minutes
	ClockSkew = time.Minute * 5

	// Issuers is the allowed oauth token issuers
	Issuers = []string{
		"accounts.google.com",
		"https://accounts.google.com",
	}
)

Functions

func VerifySignedJWTWithCerts

func VerifySignedJWTWithCerts(token string, certs *Certs, allowedAuds []string, issuers []string, maxExpiry time.Duration) error

VerifySignedJWTWithCerts is golang port of OAuth2Client.prototype.verifySignedJwtWithCerts

Types

type Certs

type Certs struct {
	Keys   map[string]*rsa.PublicKey
	Expiry time.Time
}

type CertsVerifier

type CertsVerifier struct {
	DefaultAudience []string
}

CertsVerifier implements Verifier by fetching once in a while the Google certs and validating the ID tokens locally

func (*CertsVerifier) VerifyIDToken

func (v *CertsVerifier) VerifyIDToken(idToken string, audience ...string) error

VerifyIDToken checks the validity of a given Google-issued OAuth2 token ID

type ClaimSet

type ClaimSet struct {
	jws.ClaimSet
	Email         string `json:"email"`
	EmailVerified bool   `json:"email_verified"`
	Name          string `json:"name"`
	Picture       string `json:"picture"`
	GivenName     string `json:"given_name"`
	FamilyName    string `json:"family_name"`
	Locale        string `json:"locale"`
}

func Decode

func Decode(token string) (*ClaimSet, error)

Decode returns ClaimSet

type TokenVerifier

type TokenVerifier interface {
	// VerifyIDToken checks the validity of a given Google-issued OAuth2 token ID
	VerifyIDToken(idToken string, audience ...string) error
}

TokenVerifier has a method to verify a Google-issued OAuth2 token ID