I have successfully received google sign-in token from my Android app on my web server written in Go running on GAE. I do not wish to use the <pre class="prettyprint"><code>https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123 </code></pre> because it has the issue about latency and potential network errors warned on google sign-in integration guiding page. So I am finding the way to use Google API Client Library for Go and I found this <pre class="prettyprint"><code>https://github.com/google/google-api-go-client/blob/master/GettingStarted.md </code></pre> I found that it was more complicated than the Java and Python Google API Client Library that I would need to just call the GoogleIdTokenVerifier method or verify_id_token function to get the information of the google user that has signed in on the Android app. I am not sure I am going to the right direction. Please guide me on how to verify the google sign-in token received from Android app.

I too recently faced this issue and found two solutions. But before that you need to understand what python(or other recommended client libraries)'s library does. <ol> <li>It hit https://www.googleapis.com/oauth2/v2/certs to get array of rsa public keys.</li> <li>Decode token.</li> <li>Uses "kid" (key id) field from decoded token to generate pem key for matching RSA public key.</li> <li>Verify the signature of token (which is after 2nd dot in a jwt token) using pem key.</li> </ol> Now two solutions: <ol> <li> Using official oauth library "google.golang.org/api/oauth2/v2" <pre class="prettyprint"><code>func getTokenInfo(idToken string) (*oauth2.Tokeninfo, error) { oauth2Service, err := oauth2.New(&http.Client{}) if err != nil { return nil, err } tokenInfoCall := oauth2Service.Tokeninfo() tokenInfoCall.IdToken(idToken) return tokenInfoCall.Do() } </code></pre> From Tokeninfo you can verify that audience (tokenInfo.Audience) and issued to(tokenInfo.IssuedTo) are valid. And other parameters that you want to check. But golang's official library doesn't follow the process that I mentioned earlier. It hits the www.googleapis.com/oauth2/v2/tokeninfo for generating tokeninfo (not www.googleapis.com/oauth2/v3/tokeninfo. v2 doesn't give some field like "name" but every field including email that you need to verify the token.). </li> <li>Using GoogleIdTokenVerifier library which is a port of python's library.</li> </ol> What you can do to improve efficiency of process is to cache the certs and pem. Unless a token with new "kid" comes, don't hit the url. Do benchmark and check which approach is faster. That thing about latency can be wrong as you are using network to get certs.

Package for verifying Google sign-in token in Go running on GAE

I have successfully received google sign-in token from my Android app on my web server written in Go running on GAE. I do not wish to use the

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

because it has the issue about latency and potential network errors warned on google sign-in integration guiding page. So I am finding the way to use Google API Client Library for Go and I found this

https://github.com/google/google-api-go-client/blob/master/GettingStarted.md

I found that it was more complicated than the Java and Python Google API Client Library that I would need to just call the GoogleIdTokenVerifier method or verify_id_token function to get the information of the google user that has signed in on the Android app. I am not sure I am going to the right direction. Please guide me on how to verify the google sign-in token received from Android app.

How long does Google OAuth token last?

The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days.

I too recently faced this issue and found two solutions.

But before that you need to understand what python(or other recommended client libraries)'s library does.

It hit https://www.googleapis.com/oauth2/v2/certs to get array of rsa public keys.
Decode token.
Uses "kid" (key id) field from decoded token to generate pem key for matching RSA public key.
Verify the signature of token (which is after 2nd dot in a jwt token) using pem key.

Now two solutions:

Using official oauth library "google.golang.org/api/oauth2/v2"
```
func getTokenInfo(idToken string) (*oauth2.Tokeninfo, error) {
oauth2Service, err := oauth2.New(&http.Client{})
if err != nil {
    return nil, err
}
tokenInfoCall := oauth2Service.Tokeninfo()
tokenInfoCall.IdToken(idToken)
return tokenInfoCall.Do()
}
```
From Tokeninfo you can verify that audience (tokenInfo.Audience) and issued to(tokenInfo.IssuedTo) are valid. And other parameters that you want to check. But golang's official library doesn't follow the process that I mentioned earlier. It hits the www.googleapis.com/oauth2/v2/tokeninfo for generating tokeninfo (not www.googleapis.com/oauth2/v3/tokeninfo. v2 doesn't give some field like "name" but every field including email that you need to verify the token.).
Using GoogleIdTokenVerifier library which is a port of python's library.

What you can do to improve efficiency of process is to cache the certs and pem. Unless a token with new "kid" comes, don't hit the url.

Do benchmark and check which approach is faster. That thing about latency can be wrong as you are using network to get certs.

Package for verifying Google sign-in token in Go running on GAE

Tags:

android

go

oauth

google-app-engine

google-signin

Ook

People also ask

1 Answers

khrm

Recent Activity

Donate For Us

Package for verifying Google sign-in token in Go running on GAE

Tags:

android

go

oauth

google-app-engine

google-signin

Ook

People also ask

1 Answers

khrm

Related questions

Recent Activity

Donate For Us