Doesn't seem to work with 1.4.2

taken id_token params from .getAuthResponse() in client side and tested with

validator = GoogleIDToken::Validator.new
validator.check(token, client_id, secret)

Traceback (most recent call last):
    2: from (irb):12
    1: from (irb):12:in `rescue in irb_binding'
GoogleIDToken::ClientIDMismatchError (Token client-id mismatch)

It seems like google has forgotten to release updates for this gem. This is the same problem as #15 , but again. Can someone at google bump this?

After scouring the docs, there doesn't seem to be ANY other officially recommended way to validate tokens from the frontend on a ruby backend. I've been scratching my head for several hours here. There's no link in the docs to any kind of entry in the modern ruby gapi clients.

Recent change to the JWT spec allows the audience field (aud) to be a string or 
array of strings. While Google's tokens aren't changing any time soon, still 
good to have the correct logic in place just in case :)

Original issue reported on code.google.com by [email protected] on 14 Feb 2013 at 9:09

The validator itself isn't thread safe due to the use of @problem to report back status. This requires creating a new instance each time (or at least being very careful in other ways.) Creating multiple instances however partially defeats the built-in caching of certificates.

Could use a refactoring to better separate out the certificate loading/caching from the validator. It's partially there in that a list of certs can be passed in to the validator, but that leaves a lot of implementation in the hands of users of the lib.

Should be a more complete solution than what is offered.

Released gem 1.4.1 has too strict file permission, which results in error loading it in example in containerized environments:

 ls -al /home/wojtek/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/google-id-token-1.4.1/lib/google-id-token.rb 
-rw-r----- 1 wojtek wojtek 5836 wrz 11 13:44 /home/wojtek/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/google-id-token-1.4.1/lib/google-id-token.rb

The 1.4.0 is fine:

ls -al /home/wojtek/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/google-id-token-1.4.0/lib/google-id-token.rb 
-rw-r--r-- 1 wojtek wojtek 5809 wrz 11 13:21 /home/wojtek/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/google-id-token-1.4.0/lib/google-id-token.rb

I see in the comments here https://github.com/google/google-api-ruby-client/blob/master/samples/web/app.rb#L69 that this lib is not production ready? Is this true?

What is the suggested method of checking ID tokens if, this is not the supported lib?

Thanks

A new major revision has been released and it's API changed.

Original issue reported on code.google.com by [email protected] on 12 Jun 2014 at 3:55

https://github.com/google/google-id-token/blob/master/lib/google-id-token.rb#L115

This line needs to be:

decoded_token = JWT.decode(token, public_key, true, algorithm: "RS256")

See: jwt/ruby-jwt#107

hello ! just followed this in stackoverflow https://stackoverflow.com/questions/45262755/how-to-validate-google-token-id-sent-from-android-on-ruby-on-rails-server

validator = GoogleIDToken::Validator.new(expiry: 1800) begin payload = validator.check(token, required_audience, required_client_id) email = payload['email'] rescue GoogleIDToken::ValidationError => e report "Cannot validate: #{e}" end

but i'm getting an error uninitialized constant JWT::ExpiredSignature

I am trying to parse the JWT ID token from my client ID. I parsed the token and got my required_audience and it is same as required_client_id. But,

payload = validator.check(token, required_audience, required_client_id)

This is always returning me nil. Any idea why?

I generated the token on Android using the following code:

// Configure Google Sign-In with the requestIdToken
GoogleSignInOptions googleSignInOptions = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
                .requestIdToken(getString(R.string.server_client_id))
                .requestEmail()
                .build();

// Handle result
private void handleSignInResult(GoogleSignInResult result) {
    if (result.isSuccess()) {
        GoogleSignInAccount account = result.getSignInAccount();
        String tokenId = account.getIdToken();
    }
}

The token is indeed generated by Google. But, in Ruby, I get this error:

irb> validator.problem
 => "Token not verified as issued by Google"

How can you provide multiple client ids as per the google docs example here (note this is javascript code) https://developers.google.com/identity/sign-in/ios/backend-auth

const ticket = await client.verifyIdToken({
      idToken: token,
      audience: CLIENT_ID,  // Specify the CLIENT_ID of the app that accesses the backend
      // Or, if multiple clients access the backend:
      //[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
  });

I tried passing in an array as the second parameter when calling validator.check but that seems to not work.

When I pass just a single string, the code works fine. Else I get an error like so:

GoogleIDToken::AudienceMismatchError: Token audience mismatch

gem.license = "Apache License 2.0"

Original issue reported on code.google.com by [email protected] on 12 May 2014 at 7:31

See:
https://code.google.com/p/google-id-token/source/browse/lib/google-id-token.rb#3
3

Need an ability to customize that URL.

Original issue reported on code.google.com by [email protected] on 24 Mar 2013 at 11:26

I'm planning to use this gem within a authentication scheme. While I can get the email address, the other information on the "subject" is missing. See https://developers.google.com/identity/sign-in/ios/backend-auth for details.

Will take a look on the implementation side now.

I do the following simple validation in my Rails (4.2.10) backend:

        validator = GoogleIDToken::Validator.new
        begin
          firebase_project_id = 'auth-test-****'
          payload = validator.check(token, firebase_project_id, firebase_project_id)
        rescue GoogleIDToken::ValidationError => e
          raise "Cannot validate: #{e}"
        end

I use the project id of my firebase project as the audience and client id – which I assume is the way it is supposed to be. The token was created on the client by signing in with Google Firebase Authentication.

I can decode the token fine with a general JWT library and inserting Google's public keys manually. So the token seems to be correct.

Is this a bug or am I calling the validator in a weird way? Why does it always throw an exception even with a valid token and valid project id?

Validator doesn't currently enforce the issue/expiry times in the id token.

Original issue reported on code.google.com by [email protected] on 14 Feb 2013 at 9:07

Apologies if I'm using the APIs incorrectly, I can't find a clear guide to getting the authenticated user's email when supplied with their 'code' via the Identity Platform Javascript API's #grantOfflineAccess function (described here: https://developers.google.com/identity/sign-in/web/server-side-flow)

Once I've gotten that 'code' from the client, I send it to my server and use:

      secrets = Google::APIClient::ClientSecrets.load "config/gplus.json"`
      auth = secrets.to_authorization
      auth.code = params[:auth]
      auth.fetch_access_token!
      
      validator = GoogleIDToken::Validator.new(expiry: 1800)
      payload = validator.check(auth.id_token, secrets.client_id) `

but payload is nil. If I inspect the validator object, I can see the email I'm looking for and can access it with the following kludge:
validator.instance_variable_get('@tokens').first

But that seems wrong and brittle.

It seems like the master is in 1.3.1 in https://rubygems.org/gems/google-id-token/versions/1.3.1 is different from master. which is also label as 1.3.1.

We should bump the version of master to 1.3.2 and release it. Due to addition of classes for exceptions. GoogleIDToken::ValidationError is an undefined symbol.

The cert refresh logic should be smarter and throttle how often it fetches the certificates. As is, it is very easily exploitable as a DOS vector by sending JWTs signed with a random key. That would cause a cache miss and a call to fetch the certificates each time.