The google-id-token
gem is deprecated. Its functionality is now available in the googleauth
gem.
See:
Automatically exported from code.google.com/p/google-id-token
License: Apache License 2.0
The google-id-token
gem is deprecated. Its functionality is now available in the googleauth
gem.
See:
The validator itself isn't thread safe due to the use of @problem to report back status. This requires creating a new instance each time (or at least being very careful in other ways.) Creating multiple instances however partially defeats the built-in caching of certificates.
Could use a refactoring to better separate out the certificate loading/caching from the validator. It's partially there in that a list of certs can be passed in to the validator, but that leaves a lot of implementation in the hands of users of the lib.
Should be a more complete solution than what is offered.
I'm planning to use this gem within a authentication scheme. While I can get the email address, the other information on the "subject" is missing. See https://developers.google.com/identity/sign-in/ios/backend-auth for details.
Will take a look on the implementation side now.
Recent change to the JWT spec allows the audience field (aud) to be a string or
array of strings. While Google's tokens aren't changing any time soon, still
good to have the correct logic in place just in case :)
Original issue reported on code.google.com by [email protected]
on 14 Feb 2013 at 9:09
It seems like google has forgotten to release updates for this gem. This is the same problem as #15 , but again. Can someone at google bump this?
After scouring the docs, there doesn't seem to be ANY other officially recommended way to validate tokens from the frontend on a ruby backend. I've been scratching my head for several hours here. There's no link in the docs to any kind of entry in the modern ruby gapi clients.
https://github.com/google/google-id-token/blob/master/lib/google-id-token.rb#L115
This line needs to be:
decoded_token = JWT.decode(token, public_key, true, algorithm: "RS256")
See: jwt/ruby-jwt#107
Released gem 1.4.1 has too strict file permission, which results in error loading it in example in containerized environments:
ls -al /home/wojtek/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/google-id-token-1.4.1/lib/google-id-token.rb
-rw-r----- 1 wojtek wojtek 5836 wrz 11 13:44 /home/wojtek/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/google-id-token-1.4.1/lib/google-id-token.rb
The 1.4.0 is fine:
ls -al /home/wojtek/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/google-id-token-1.4.0/lib/google-id-token.rb
-rw-r--r-- 1 wojtek wojtek 5809 wrz 11 13:21 /home/wojtek/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/google-id-token-1.4.0/lib/google-id-token.rb
I see in the comments here https://github.com/google/google-api-ruby-client/blob/master/samples/web/app.rb#L69 that this lib is not production ready? Is this true?
What is the suggested method of checking ID tokens if, this is not the supported lib?
Thanks
It seems like the master is in 1.3.1 in https://rubygems.org/gems/google-id-token/versions/1.3.1 is different from master. which is also label as 1.3.1.
We should bump the version of master to 1.3.2 and release it. Due to addition of classes for exceptions. GoogleIDToken::ValidationError is an undefined symbol.
A new major revision has been released and it's API changed.
Original issue reported on code.google.com by [email protected]
on 12 Jun 2014 at 3:55
I do the following simple validation in my Rails (4.2.10) backend:
validator = GoogleIDToken::Validator.new
begin
firebase_project_id = 'auth-test-****'
payload = validator.check(token, firebase_project_id, firebase_project_id)
rescue GoogleIDToken::ValidationError => e
raise "Cannot validate: #{e}"
end
I use the project id of my firebase project as the audience and client id – which I assume is the way it is supposed to be. The token was created on the client by signing in with Google Firebase Authentication.
I can decode the token fine with a general JWT library and inserting Google's public keys manually. So the token seems to be correct.
Is this a bug or am I calling the validator in a weird way? Why does it always throw an exception even with a valid token and valid project id?
The cert refresh logic should be smarter and throttle how often it fetches the certificates. As is, it is very easily exploitable as a DOS vector by sending JWTs signed with a random key. That would cause a cache miss and a call to fetch the certificates each time.
Apologies if I'm using the APIs incorrectly, I can't find a clear guide to getting the authenticated user's email when supplied with their 'code' via the Identity Platform Javascript API's #grantOfflineAccess function (described here: https://developers.google.com/identity/sign-in/web/server-side-flow)
Once I've gotten that 'code' from the client, I send it to my server and use:
secrets = Google::APIClient::ClientSecrets.load "config/gplus.json"`
auth = secrets.to_authorization
auth.code = params[:auth]
auth.fetch_access_token!
validator = GoogleIDToken::Validator.new(expiry: 1800)
payload = validator.check(auth.id_token, secrets.client_id) `
but payload is nil. If I inspect the validator object, I can see the email I'm looking for and can access it with the following kludge:
validator.instance_variable_get('@tokens').first
But that seems wrong and brittle.
Validator doesn't currently enforce the issue/expiry times in the id token.
Original issue reported on code.google.com by [email protected]
on 14 Feb 2013 at 9:07
How can you provide multiple client ids as per the google docs example here (note this is javascript code) https://developers.google.com/identity/sign-in/ios/backend-auth
const ticket = await client.verifyIdToken({
idToken: token,
audience: CLIENT_ID, // Specify the CLIENT_ID of the app that accesses the backend
// Or, if multiple clients access the backend:
//[CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]
});
I tried passing in an array as the second parameter when calling validator.check
but that seems to not work.
When I pass just a single string, the code works fine. Else I get an error like so:
GoogleIDToken::AudienceMismatchError: Token audience mismatch
Doesn't seem to work with 1.4.2
taken id_token
params from .getAuthResponse()
in client side and tested with
validator = GoogleIDToken::Validator.new
validator.check(token, client_id, secret)
Traceback (most recent call last):
2: from (irb):12
1: from (irb):12:in `rescue in irb_binding'
GoogleIDToken::ClientIDMismatchError (Token client-id mismatch)
gem.license = "Apache License 2.0"
Original issue reported on code.google.com by [email protected]
on 12 May 2014 at 7:31
hello ! just followed this in stackoverflow https://stackoverflow.com/questions/45262755/how-to-validate-google-token-id-sent-from-android-on-ruby-on-rails-server
validator = GoogleIDToken::Validator.new(expiry: 1800) begin payload = validator.check(token, required_audience, required_client_id) email = payload['email'] rescue GoogleIDToken::ValidationError => e report "Cannot validate: #{e}" end
but i'm getting an error uninitialized constant JWT::ExpiredSignature
See:
https://code.google.com/p/google-id-token/source/browse/lib/google-id-token.rb#3
3
Need an ability to customize that URL.
Original issue reported on code.google.com by [email protected]
on 24 Mar 2013 at 11:26
I am trying to parse the JWT ID token from my client ID. I parsed the token and got my required_audience
and it is same as required_client_id
. But,
payload = validator.check(token, required_audience, required_client_id)
This is always returning me nil
. Any idea why?
I generated the token on Android using the following code:
// Configure Google Sign-In with the requestIdToken
GoogleSignInOptions googleSignInOptions = new GoogleSignInOptions.Builder(GoogleSignInOptions.DEFAULT_SIGN_IN)
.requestIdToken(getString(R.string.server_client_id))
.requestEmail()
.build();
// Handle result
private void handleSignInResult(GoogleSignInResult result) {
if (result.isSuccess()) {
GoogleSignInAccount account = result.getSignInAccount();
String tokenId = account.getIdToken();
}
}
The token is indeed generated by Google. But, in Ruby, I get this error:
irb> validator.problem
=> "Token not verified as issued by Google"
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.