3 unstable releases
| 0.5.0 | Mar 27, 2024 |
|---|---|
| 0.4.1 | Mar 25, 2024 |
| 0.4.0 | Mar 24, 2024 |
#604 in Authentication
111 downloads per month
33KB
724 lines
Google ID token verification
A simple way to authenticate users. A fork of https://crates.io/crates/google-jwt-verify focused on minimal code size.
Given a client ID and a JSON web token generated by the signin process, verifies the token using steps described here: https://developers.google.com/identity/gsi/web/reference/html-reference#server-side
Google's JSON web keys are automatically fetched and cached according to the returned Cache-Control headers. Most requests to verify a token through this library will not wait for an HTTP request.
Features
For the sake of build simplicity, this crate chooses not to support native TLS. ring is used for SSL encryption when fetching signing keys and also for signature verification. Read about the ring security audit here.
Quick Start
//If you don't have a client id, get one from here: https://console.developers.google.com/
let client_id = "37772117408-qjqo9hca513pdcunumt7gk08ii6te8is.apps.googleusercontent.com";
let token = "...";// Obtain a signed token from Google
let client = Client::new(&client_id);
let id_token = client.verify_id_token(&token)?;
let greeting = authorize_token(&id_token);
// use authenticated token to authorize
fn authorize_token(token: &Token<IdPayload>) -> Option<String> {
match token {
Token {
payload: payload @ IdPayload {
email: Some(email), ..
},
..
} if TEST_USERS.contains(&email.as_str()) => {
Some(format!("hello {}", payload.name.as_ref().unwrap_or(email)))
}
_ => None,
}
}
Issues
Be aware that Google's Oauth implementation is not well documented. The list of test users in the Oauth consent screen does not constitute an authorization whitelist (other users will also be granted access). See this issuetracker for further details.
Dependencies
~7–17MB
~326K SLoC