Documentation

Overview

Package idtoken provides utilities for creating authenticated transports with ID Tokens for Google HTTP APIs. It also provides methods to validate Google issued ID tokens.

Index

Examples

Constants

This section is empty.

Variables

This section is empty.

Functions

func NewClient

func NewClient(ctx context.Context, audience string, opts ...ClientOption) (*http.Client, error)

NewClient creates a HTTP Client that automatically adds an ID token to each request via an Authorization header. The token will have have the audience provided and be configured with the supplied options. The parameter audience may not be empty.

func NewTokenSource

func NewTokenSource(ctx context.Context, audience string, opts ...ClientOption) (oauth2.TokenSource, error)

NewTokenSource creates a TokenSource that returns ID tokens with the audience provided and configured with the supplied options. The parameter audience may not be empty.

Example (SetAuthorizationHeader)

Code:

package main

import (
	"context"
	"google.golang.org/api/idtoken"
	"net/http"
)

func main() {
	ctx := context.Background()
	audience := "http://example.com"
	ts, err := idtoken.NewTokenSource(ctx, audience)
	if err != nil {
		// TODO: Handle error.
	}
	token, err := ts.Token()
	if err != nil {
		// TODO: Handle error.
	}
	req, err := http.NewRequest(http.MethodGet, audience, nil)
	if err != nil {
		// TODO: Handle error.
	}
	token.SetAuthHeader(req)
}

Types

type ClientOption

type ClientOption = option.ClientOption

ClientOption is for configuring a Google API client or transport.

func WithCredentialsFile

func WithCredentialsFile(filename string) ClientOption

WithCredentialsFile returns a ClientOption that authenticates API calls with the given service account or refresh token JSON credentials file.

func WithCredentialsJSON

func WithCredentialsJSON(p []byte) ClientOption

WithCredentialsJSON returns a ClientOption that authenticates API calls with the given service account or refresh token JSON credentials.

func WithCustomClaims

func WithCustomClaims(customClaims map[string]interface{}) ClientOption

WithCustomClaims optionally specifies custom private claims for an ID token.

func WithHTTPClient

func WithHTTPClient(client *http.Client) ClientOption

WithHTTPClient returns a ClientOption that specifies the HTTP client to use as the basis of communications. This option may only be used with services that support HTTP as their communication transport. When used, the WithHTTPClient option takes precedent over all other supplied options.

type Payload

type Payload struct {
	Issuer   string                 `json:"iss"`
	Audience string                 `json:"aud"`
	Expires  int64                  `json:"exp"`
	IssuedAt int64                  `json:"iat"`
	Subject  string                 `json:"sub,omitempty"`
	Claims   map[string]interface{} `json:"-"`
}

Payload represents a decoded payload of an ID Token.

func Validate

func Validate(ctx context.Context, idToken string, audience string) (*Payload, error)

Validate is used to validate the provided idToken with a known Google cert URL. If audience is not empty the audience claim of the Token is validated. Upon successful validation a parsed token Payload is returned allowing the caller to validate any additional claims.

type Validator

type Validator struct {
	// contains filtered or unexported fields
}

Validator provides a way to validate Google ID Tokens with a user provided http.Client.

func NewValidator

func NewValidator(ctx context.Context, opts ...ClientOption) (*Validator, error)

NewValidator creates a Validator that uses the options provided to configure a the internal http.Client that will be used to make requests to fetch JWKs.

func (*Validator) Validate

func (v *Validator) Validate(ctx context.Context, idToken string, audience string) (*Payload, error)

Validate is used to validate the provided idToken with a known Google cert URL. If audience is not empty the audience claim of the Token is validated. Upon successful validation a parsed token Payload is returned allowing the caller to validate any additional claims.