在GAE上运行的用于验证Google登录令牌的Go包。

huangapple go评论97阅读模式
英文:

Package for verifying Google sign-in token in Go running on GAE

问题

我已经成功从我的运行在GAE上的Go编写的Web服务器上的Android应用程序中接收到Google登录令牌。我不想使用以下链接来验证令牌,因为它存在延迟和潜在网络错误的问题,这在Google登录集成指南页面上有所警告:

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

因此,我正在寻找使用Google API Client Library for Go的方法,并找到了这个链接:

https://github.com/google/google-api-go-client/blob/master/GettingStarted.md

我发现它比Java和Python的Google API Client Library更复杂,我只需要调用GoogleIdTokenVerifier方法或verify_id_token函数来获取已在Android应用上登录的Google用户的信息。我不确定我是否朝着正确的方向前进,请指导我如何验证从Android应用接收到的Google登录令牌。

英文:

I have successfully received google sign-in token from my Android app on my web server written in Go running on GAE. I do not wish to use the

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

because it has the issue about latency and potential network errors warned on google sign-in integration guiding page. So I am finding the way to use Google API Client Library for Go and I found this

https://github.com/google/google-api-go-client/blob/master/GettingStarted.md

I found that it was more complicated than the Java and Python Google API Client Library that I would need to just call the GoogleIdTokenVerifier method or verify_id_token function to get the information of the google user that has signed in on the Android app. I am not sure I am going to the right direction. Please guide me on how to verify the google sign-in token received from Android app.

答案1

得分: 15

我最近也遇到了这个问题,并找到了两个解决方案。

但在此之前,您需要了解Python(或其他推荐的客户端库)的库是做什么的。

  1. 它会访问https://www.googleapis.com/oauth2/v2/certs以获取一组RSA公钥。
  2. 解码令牌。
  3. 使用解码后的令牌中的"kid"(密钥ID)字段生成与RSA公钥匹配的PEM密钥。
  4. 使用PEM密钥验证令牌的签名(在jwt令牌的第二个点之后)。

现在有两个解决方案:

  1. 使用官方的OAuth库"google.golang.org/api/oauth2/v2"
func getTokenInfo(idToken string) (*oauth2.Tokeninfo, error) {
    oauth2Service, err := oauth2.New(&http.Client{})
    if err != nil {
        return nil, err
    }
    tokenInfoCall := oauth2Service.Tokeninfo()
    tokenInfoCall.IdToken(idToken)
    return tokenInfoCall.Do()
}

从Tokeninfo中,您可以验证audience(tokenInfo.Audience)和issued to(tokenInfo.IssuedTo)是否有效,以及其他您想要检查的参数。但是,Golang的官方库不遵循我之前提到的过程。它会访问www.googleapis.com/oauth2/v2/tokeninfo来生成tokeninfo(而不是www.googleapis.com/oauth2/v3/tokeninfo)。v2不提供一些字段,如"name",但提供了您需要验证令牌的所有字段,包括电子邮件。

  1. 使用GoogleIdTokenVerifier库,它是Python库的一个移植版本。

为了提高流程的效率,您可以缓存证书和PEM。除非出现具有新"kid"的令牌,否则不要访问该URL。

进行基准测试并检查哪种方法更快。关于延迟的问题可能是错误的,因为您正在使用网络获取证书。

英文:

I too recently faced this issue and found two solutions.

But before that you need to understand what python(or other recommended client libraries)'s library does.

  1. It hit https://www.googleapis.com/oauth2/v2/certs to get array of rsa public keys.
  2. Decode token.
  3. Uses "kid" (key id) field from decoded token to generate pem key for matching RSA public key.
  4. Verify the signature of token (which is after 2nd dot in a jwt token) using pem key.

Now two solutions:

  1. Using official oauth library "google.golang.org/api/oauth2/v2"

     func getTokenInfo(idToken string) (*oauth2.Tokeninfo, error) {
     oauth2Service, err := oauth2.New(&http.Client{})
    	if err != nil {
     	return nil, err
    	}
    	tokenInfoCall := oauth2Service.Tokeninfo()
    	tokenInfoCall.IdToken(idToken)
    	return tokenInfoCall.Do()
    	}
    

    From Tokeninfo you can verify that audience (tokenInfo.Audience) and issued to(tokenInfo.IssuedTo) are valid. And other parameters that you want to check. But golang's official library doesn't follow the process that I mentioned earlier. It hits the www.googleapis.com/oauth2/v2/tokeninfo for generating tokeninfo
    (not www.googleapis.com/oauth2/v3/tokeninfo. v2 doesn't give some field like "name" but every field including email that you need to verify the token.).

  2. Using GoogleIdTokenVerifier library which is a port of python's library.

What you can do to improve efficiency of process is to cache the certs and pem. Unless a token with new "kid" comes, don't hit the url.

Do benchmark and check which approach is faster. That thing about latency can be wrong as you are using network to get certs.

huangapple
  • 本文由 发表于 2016年4月17日 22:14:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/36677658.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定