googleapis
Support multiple audience client IDs in idToken validator
I was going through the idToken validation docs here: https://developers.google.com/identity/sign-in/web/backend-auth and all the code examples suggest that there is a possibility of multiple clientIDs (aka audience) validation, i.e. in Java:
GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory) // Specify the CLIENT_ID of the app that accesses the backend: .setAudience(Collections.singletonList(CLIENT_ID)) // Or, if multiple clients access the backend: //.setAudience(Arrays.asList(CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3)) .build();
This seems not to be supported by the Golaang client:
func (v *Validator) validate(ctx context.Context, idToken string, audience string) (*Payload, error)
if audience != "" && payload.Audience != audience { return nil, fmt.Errorf("idtoken: audience provided does not match aud claim in the JWT" }
I see 2 possible options of such implementation:
- Create a new validate function that handles an array of strings.
- Inside of the existing function, check if we can split audience string by comma delimiter and create an array which will be processed after, assuming that user can pass a string of comma-separated audiences.
@anton-kstnk Thank you for pointing out this issue in the idtoken package. I agree that it appears the API should probably be expanded to accommodate multiple audience values. My preference would be for a variadic or array/slice input. I think we should avoid splitting the string.
In the meantime, the page you linked shows a simple workaround for the Python library that I believe would also serve for Go:
# Specify the CLIENT_ID of the app that accesses the backend:
idinfo = id_token.verify_oauth2_token(token, requests.Request(), CLIENT_ID)
# Or, if multiple clients access the backend server:
# idinfo = id_token.verify_oauth2_token(token, requests.Request())
# if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
# raise ValueError('Could not verify audience.')
