Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple audience client IDs in idToken validator #2247

Open
anton-kstnk opened this issue Nov 3, 2023 · 1 comment
Open

Support multiple audience client IDs in idToken validator #2247

anton-kstnk opened this issue Nov 3, 2023 · 1 comment
Assignees
@codyoss
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.

Comments

@anton-kstnk
Copy link

I was going through the idToken validation docs here: https://developers.google.com/identity/sign-in/web/backend-auth and all the code examples suggest that there is a possibility of multiple clientIDs (aka audience) validation, i.e. in Java:

GoogleIdTokenVerifier verifier = new GoogleIdTokenVerifier.Builder(transport, jsonFactory) // Specify the CLIENT_ID of the app that accesses the backend: .setAudience(Collections.singletonList(CLIENT_ID)) // Or, if multiple clients access the backend: //.setAudience(Arrays.asList(CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3)) .build();

This seems not to be supported by the Golaang client:
func (v *Validator) validate(ctx context.Context, idToken string, audience string) (*Payload, error)

if audience != "" && payload.Audience != audience { return nil, fmt.Errorf("idtoken: audience provided does not match aud claim in the JWT" }

I see 2 possible options of such implementation:

  1. Create a new validate function that handles an array of strings.
  2. Inside of the existing function, check if we can split audience string by comma delimiter and create an array which will be processed after, assuming that user can pass a string of comma-separated audiences.
@anton-kstnk anton-kstnk added priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design. labels Nov 3, 2023
@quartzmo
Copy link
Member

quartzmo commented Nov 3, 2023

@anton-kstnk Thank you for pointing out this issue in the idtoken package. I agree that it appears the API should probably be expanded to accommodate multiple audience values. My preference would be for a variadic or array/slice input. I think we should avoid splitting the string.

In the meantime, the page you linked shows a simple workaround for the Python library that I believe would also serve for Go:

    # Specify the CLIENT_ID of the app that accesses the backend:
    idinfo = id_token.verify_oauth2_token(token, requests.Request(), CLIENT_ID)

    # Or, if multiple clients access the backend server:
    # idinfo = id_token.verify_oauth2_token(token, requests.Request())
    # if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
    #     raise ValueError('Could not verify audience.')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@codyoss codyoss

Labels
priority: p3 Desirable enhancement or fix. May not be included in next release. type: feature request ‘Nice-to-have’ improvement, new feature or different behavior or design.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@quartzmo @codyoss @anton-kstnk