Documentation ¶
Overview ¶
Package idtoken provides utilities for creating authenticated transports with ID Tokens for Google HTTP APIs. It also provides methods to validate Google issued ID tokens.
Index ¶
Examples ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewClient ¶
NewClient creates a HTTP Client that automatically adds an ID token to each request via an Authorization header. The token will have the audience provided and be configured with the supplied options. The parameter audience may not be empty.
func NewTokenSource ¶
func NewTokenSource(ctx context.Context, audience string, opts ...ClientOption) (oauth2.TokenSource, error)
NewTokenSource creates a TokenSource that returns ID tokens with the audience provided and configured with the supplied options. The parameter audience may not be empty.
Example (SetAuthorizationHeader) ¶
package main import ( "context" "net/http" "google.golang.org/api/idtoken" ) func main() { ctx := context.Background() audience := "http://example.com" ts, err := idtoken.NewTokenSource(ctx, audience) if err != nil { // TODO: Handle error. } token, err := ts.Token() if err != nil { // TODO: Handle error. } req, err := http.NewRequest(http.MethodGet, audience, nil) if err != nil { // TODO: Handle error. } token.SetAuthHeader(req) }
Output:
Types ¶
type ClientOption ¶
type ClientOption = option.ClientOption
ClientOption is for configuring a Google API client or transport.
func WithCredentialsFile ¶
func WithCredentialsFile(filename string) ClientOption
WithCredentialsFile returns a ClientOption that authenticates API calls with the given service account or refresh token JSON credentials file.
func WithCredentialsJSON ¶
func WithCredentialsJSON(p []byte) ClientOption
WithCredentialsJSON returns a ClientOption that authenticates API calls with the given service account or refresh token JSON credentials.
func WithCustomClaims ¶
func WithCustomClaims(customClaims map[string]interface{}) ClientOption
WithCustomClaims optionally specifies custom private claims for an ID token.
func WithHTTPClient ¶
func WithHTTPClient(client *http.Client) ClientOption
WithHTTPClient returns a ClientOption that specifies the HTTP client to use as the basis of communications. This option may only be used with services that support HTTP as their communication transport. When used, the WithHTTPClient option takes precedent over all other supplied options.
type Payload ¶
type Payload struct { Issuer string `json:"iss"` Audience string `json:"aud"` Expires int64 `json:"exp"` IssuedAt int64 `json:"iat"` Subject string `json:"sub,omitempty"` Claims map[string]interface{} `json:"-"` }
Payload represents a decoded payload of an ID Token.
func ParsePayload ¶ added in v0.141.0
ParsePayload parses the given token and returns its payload.
Warning: This function does not validate the token prior to parsing it.
ParsePayload is primarily meant to be used to inspect a token's payload. This is useful when validation fails and the payload needs to be inspected.
Note: A successful Validate() invocation with the same token will return an identical payload.
type Validator ¶
type Validator struct {
// contains filtered or unexported fields
}
Validator provides a way to validate Google ID Tokens with a user provided http.Client.
func NewValidator ¶
func NewValidator(ctx context.Context, opts ...ClientOption) (*Validator, error)
NewValidator creates a Validator that uses the options provided to configure a the internal http.Client that will be used to make requests to fetch JWKs.
func (*Validator) Validate ¶
func (v *Validator) Validate(ctx context.Context, idToken string, audience string) (*Payload, error)
Validate is used to validate the provided idToken with a known Google cert URL. If audience is not empty the audience claim of the Token is validated. Upon successful validation a parsed token Payload is returned allowing the caller to validate any additional claims.