Provide token verification within oauth2 library #128
Description
Because ID token verification is an important step in AuthN systems that use OAuth2 / open ID connect, we should provide a convenience method that verifies tokens. The following code does basic token verification:
// decodeIdToken takes an ID Token and decodes it to fetch the Google+ ID within
func decodeIdToken(idToken string) (gplusID string, err error) {
fmt.Fprintf(os.Stderr, "dump: %s\n", idToken)
// An ID token is a cryptographically-signed JSON object encoded in base 64.
// Normally, it is critical that you validate an ID token before you use it,
// but since you are communicating directly with Google over an
// intermediary-free HTTPS channel and using your Client Secret to
// authenticate yourself to Google, you can be confident that the token you
// receive really comes from Google and is valid. If your server passes the ID
// token to other components of your app, it is extremely important that the
// other components validate the token before using it.
var set ClaimSet
if idToken != "" {
// Check that the padding is correct for a base64decode
parts := strings.Split(idToken, ".")
if len(parts) < 2 {
return "", fmt.Errorf("Malformed ID token")
}
// Decode the ID token
b, err := base64Decode(parts[1])
if err != nil {
return "", fmt.Errorf("Malformed ID token: %v", err)
}
err = json.Unmarshal(b, &set)
if err != nil {
return "", fmt.Errorf("Malformed ID token: %v", err)
}
}
return set.Sub, nil
}
Comprehensive information on ID tokens is available within the Open ID 1.0 spec - http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken
Metadata
Metadata
Assignees
Labels
No labels