google-app-engine - 如何验证JWT签名？(how to verify JWT signature?)

Question

I want to authenticate Android users with a Go AppEngine backend,

(我想使用Go AppEngine后端对Android用户进行身份验证，)

I can easily get an ID-token in Android by following http://android-developers.blogspot.co.il/2013/01/verifying-back-end-calls-from-android.html

(我可以通过遵循http://android-developers.blogspot.co.il/2013/01/verifying-back-end-calls-from-android.html轻松在Android中获取ID令牌)

the ID-token payload can be verified with the oauth2/v2 package of the https://code.google.com/p/google-api-go-client/ library.

(可以使用https://code.google.com/p/google-api-go-client/库的oauth2 / v2包来验证ID令牌有效负载。)

some installation tweaks are necessary for using it with AppEngine, I found some pointers at http://golangtutorials.blogspot.co.il/2011/11/using-external-api-in-go-appengine.html

(要与AppEngine一起使用，必须进行一些安装调整，我在http://golangtutorials.blogspot.co.il/2011/11/using-external-api-in-go-appengine.html中找到了一些指针)

according to the doc: "Verify Signature It turns out that this is signed using a Google public/private key pair, and Google publishes the public keys (which we change regularly) at www.googleapis.com/oauth2/v1/certs; go ahead and have a look.

(根据文档：“验证签名事实证明，这是使用Google公钥/私钥对签名的，Google会在www.googleapis.com/oauth2/v1/certs上发布公钥（我们会定期更改）；请转到向前看。)

You have to verify that the ID Token, which is actually a JSON Web Token, was signed with one of those certs.

(您必须验证ID令牌（实际上是JSON Web令牌）是否已使用这些证书之一签名。)

Fortunately, there are decent libraries around to do this;

(幸运的是，周围有不错的图书馆可以这样做。)

in this post, I'll give pointers for Java, Ruby, and PHP.

(在本文中，我将提供Java，Ruby和PHP的指针。)

The libraries can cache the Google certs and only refresh them when required, so the verification is (almost always) a fast static call."

(这些库可以缓存Google证书，并仅在需要时刷新它们，因此验证（几乎总是）是一个快速的静态调用。”)

how do I verify in Go that the token was signed by Google?

(如何在Go中验证令牌是由Google签名的？)

  ask by Gal Ben-Haim translate from so

Answer 1

this is what I ended up doing (using https://github.com/dgrijalva/jwt-go ):

(这就是我最终要做的（使用https://github.com/dgrijalva/jwt-go ）：)

package XXX

import (
    "errors"
    oauth2 "code.google.com/p/google-api-go-client/oauth2/v2"
    "jwt"
    "appengine"
    "appengine/urlfetch"
)

func getTokeninfo(c appengine.Context, token string) (*oauth2.Tokeninfo, error) {
    client := urlfetch.Client(c)

    oauth2Svc, err := oauth2.New(client) 

    if err != nil {
        return nil, err
    }

    return oauth2Svc.Tokeninfo().Id_token(token).Do()
}

func verifyToken(c appengine.Context, token string) (string, error) {
    parsedToken, err := jwt.Parse(token)

    if err != nil {
        c.Debugf(err.Error())
        return "", err
    }

    if parsedToken.Claims["aud"] != "XXX.apps.googleusercontent.com" {
        c.Debugf("aud mismatch")
        return "", errors.New("Aud mismatch")
    }

    if (parsedToken.Claims["azp"] != "XXX.apps.googleusercontent.com") && 
        (parsedToken.Claims["azp"] != "XXX.apps.googleusercontent.com") {

        c.Debugf("azp mismatch")
        return "", errors.New("Azp mismatch")
    }

    ti, err := getTokeninfo(c, token)

    if err != nil {
        c.Debugf(err.Error())
        return "", err
    }

    if (ti.Issued_to != "XXX.apps.googleusercontent.com") &&
        (ti.Issued_to != "XXX.apps.googleusercontent.com") {

        c.Debugf("cid mismatch")
        return "", errors.New("Client ID mismatch")
    }

    return ti.User_id, nil
}