I have successfully received google sign-in token from my Android app on my web server written in Go running on GAE. I do not wish to use the
https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123
because it has the issue about latency and potential network errors warned on google sign-in integration guiding page. So I am finding the way to use Google API Client Library for Go and I found this
https://github.com/google/google-api-go-client/blob/master/GettingStarted.md
I found that it was more complicated than the Java and Python Google API Client Library that I would need to just call the GoogleIdTokenVerifier method or verify_id_token function to get the information of the google user that has signed in on the Android app. I am not sure I am going to the right direction. Please guide me on how to verify the google sign-in token received from Android app.
The access token is set with a reasonably lower expiration time of 30 mins. The refresh token is set with a very long expiration time of 200 days.
I too recently faced this issue and found two solutions.
But before that you need to understand what python(or other recommended client libraries)'s library does.
Now two solutions:
Using official oauth library "google.golang.org/api/oauth2/v2"
func getTokenInfo(idToken string) (*oauth2.Tokeninfo, error) {
oauth2Service, err := oauth2.New(&http.Client{})
if err != nil {
return nil, err
}
tokenInfoCall := oauth2Service.Tokeninfo()
tokenInfoCall.IdToken(idToken)
return tokenInfoCall.Do()
}
From Tokeninfo you can verify that audience (tokenInfo.Audience) and issued to(tokenInfo.IssuedTo) are valid. And other parameters that you want to check. But golang's official library doesn't follow the process that I mentioned earlier. It hits the www.googleapis.com/oauth2/v2/tokeninfo for generating tokeninfo (not www.googleapis.com/oauth2/v3/tokeninfo. v2 doesn't give some field like "name" but every field including email that you need to verify the token.).
Using GoogleIdTokenVerifier library which is a port of python's library.
What you can do to improve efficiency of process is to cache the certs and pem. Unless a token with new "kid" comes, don't hit the url.
Do benchmark and check which approach is faster. That thing about latency can be wrong as you are using network to get certs.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With