FR: Don't require constant connectivity to Google for verifying ID tokens

[juliusv]

trafficstars

The VerifyIDToken() method on the auth Client downloads Google's signing certificates from https://www.googleapis.com/robot/v1/metadata/x509/[email protected] in the background when verifying a user ID token.

Unfortunately, in some environments, connecting to Google is either unreliable or not directly possible. In my case, my Hetzner VServer's IPs get regularly blocked by Google (see https://bsky.app/profile/juliusv.com/post/3lczuagphbs2w), although verifying Firebase tokens is the only thing my backend does in terms of external connectivity. In this kind of situation, I would really like to have more control over the downloading of these certificates, for example some alternative means of providing the certificate externally without the SDK connecting directly to Google. Then at least I can manage around the IP blocks somehow.