google-api-go-client icon indicating copy to clipboard operation
google-api-go-client copied to clipboard

Published 20 hours ago verified publisher icon googleapis

Add ISS validation to the idToken validator

Open anton-kstnk opened this issue 2 years ago • 1 comments

In these docs I found the following line: The value of iss in the ID token is equal to accounts.google.com or https://accounts.google.com.

I couldn't find this check inside the go client lib.

anton-kstnk avatar Nov 03 '23 09:11 anton-kstnk

@anton-kstnk Thanks for reporting this. I agree that it looks like an omission in the idtoken Validator.

@codyoss Is there any reason why we shouldn't add this? Does this library support other issuers?

quartzmo avatar Nov 03 '23 19:11 quartzmo

Closing this in favor of https://github.com/googleapis/google-api-go-client/issues/2422 which goes into a little more detail on other possible validations as well. Thanks for raising this.

codyoss avatar Apr 24 '24 19:04 codyoss