From ebac7320cfd5f488de2525cbfd7489f439869b21 Mon Sep 17 00:00:00 2001
From: Pal Sivertsen <palsivertsen@gmail.com>
Date: Thu, 13 Sep 2018 10:57:39 +0200
Subject: [PATCH] Move token signature verification after fields

Token signature validation can be an expensive operation.
For tokens with invalid fields it is not necessary to check the
signature and it is therfore moved to the bottom.
---
 auth/auth.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/auth/auth.go b/auth/auth.go
index e73b33ac..a2d7e1b1 100644
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -220,9 +220,6 @@ func (c *Client) VerifyIDToken(ctx context.Context, idToken string) (*Token, err
 		return nil, fmt.Errorf("id token must be a non-empty string")
 	}
 
-	if err := verifyToken(ctx, idToken, c.keySource); err != nil {
-		return nil, err
-	}
 	segments := strings.Split(idToken, ".")
 
 	var (
@@ -281,6 +278,13 @@ func (c *Client) VerifyIDToken(ctx context.Context, idToken string) (*Token, err
 		return nil, err
 	}
 	payload.UID = payload.Subject
+
+	// Verifying the signature requires syncronized access to a key store and
+	// potentially issues a http request. Validating the fields of the token is
+	// cheaper and invalid tokens will fail faster.
+	if err := verifyToken(ctx, idToken, c.keySource); err != nil {
+		return nil, err
+	}
 	return &payload, nil
 }