Package: google.golang.org/api/idtoken

package idtoken Import Path google.golang.org/api/idtoken (on go.dev) Dependency Relation imports 23 packages, and imported by 2 packages

Involved Source Files cache.go compute.go d➜ doc.go Package idtoken provides utilities for creating authenticated transports with ID Tokens for Google HTTP APIs. It also provides methods to validate Google issued ID tokens. idtoken.go validate.go

Package-Level Type Names (total 11, in which 3 are exported)

/* sort exporteds by: alphabet | popularity */

type ClientOption = option.ClientOption (interface) ClientOption is for configuring a Google API client or transport.

type Payload (struct) Payload represents a decoded payload of an ID Token. Fields (total 6, all are exported) Audience string Claims map[string]interface{} Expires int64 IssuedAt int64 Issuer string Subject string As Outputs Of (at least 3, in which 2 are exported) func Validate(ctx context.Context, idToken string, audience string) (*Payload, error) func (*Validator).Validate(ctx context.Context, idToken string, audience string) (*Payload, error) /* at least one unexported ... *//* at least one unexported: */ func (*Validator).validate(ctx context.Context, idToken string, audience string) (*Payload, error)

type Validator (struct) Validator provides a way to validate Google ID Tokens with a user provided http.Client. Fields (only one, which is unexported) /* one unexported ... *//* one unexported: */ client *cachingClient Methods (total 4, in which 1 are exported) (*T) Validate(ctx context.Context, idToken string, audience string) (*Payload, error) Validate is used to validate the provided idToken with a known Google cert URL. If audience is not empty the audience claim of the Token is validated. Upon successful validation a parsed token Payload is returned allowing the caller to validate any additional claims. /* 3 unexporteds ... *//* 3 unexporteds: */ (*T) validate(ctx context.Context, idToken string, audience string) (*Payload, error) (*T) validateES256(ctx context.Context, keyID string, hashedContent []byte, sig []byte) error (*T) validateRS256(ctx context.Context, keyID string, hashedContent []byte, sig []byte) error As Outputs Of (at least one exported) func NewValidator(ctx context.Context, opts ...ClientOption) (*Validator, error) As Types Of (only one, which is unexported) /* one unexported ... *//* one unexported: */ var defaultValidator *Validator

/* 8 unexporteds ... *//* 8 unexporteds: */

type cachedResponse (struct) Fields (total 2, neither is exported) /* 2 unexporteds ... *//* 2 unexporteds: */ exp time.Time resp *certResponse

type cachingClient (struct) Fields (total 4, none are exported) /* 4 unexporteds ... *//* 4 unexporteds: */ certs map[string]*cachedResponse client *http.Client clock func() time.Time clock optionally specifies a func to return the current time. If nil, time.Now is used. mu sync.Mutex Methods (total 5, none are exported) /* 5 unexporteds ... *//* 5 unexporteds: */ (*T) calculateExpireTime(headers http.Header) time.Time calculateExpireTime will determine the expire time for the cache based on HTTP headers. If there is any difficulty reading the headers the fallback is to set the cache to expire now. (*T) get(url string) (*certResponse, bool) (*T) getCert(ctx context.Context, url string) (*certResponse, error) (*T) now() time.Time (*T) set(url string, resp *certResponse, headers http.Header) As Outputs Of (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ func newCachingClient(client *http.Client) *cachingClient

type certResponse (struct) certResponse represents a list jwks. It is the format returned from known Google cert endpoints. Fields (only one, which is exported) Keys []jwk As Inputs Of (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ func findMatchingKey(response *certResponse, keyID string) (*jwk, error)

type computeIDTokenSource (struct) Fields (only one, which is unexported) /* one unexported ... *//* one unexported: */ audience string Methods (only one, which is exported) ( T) Token() (*oauth2.Token, error) Implements (at least one exported) T : golang.org/x/oauth2.TokenSource

type jwk (struct) jwk is a simplified representation of a standard jwk. It only includes the fields used by Google's cert endpoints. Fields (total 9, all are exported) Alg string Crv string E string Kid string Kty string N string Use string X string Y string As Outputs Of (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ func findMatchingKey(response *certResponse, keyID string) (*jwk, error)

type jwt (struct) jwt represents the segments of a jwt and exposes convenience methods for working with the different segments. Fields (total 3, none are exported) /* 3 unexporteds ... *//* 3 unexporteds: */ header string payload string signature string Methods (total 7, in which 1 are exported) (*T) String() string /* 6 unexporteds ... *//* 6 unexporteds: */ (*T) decodedHeader() ([]byte, error) decodedHeader base64 decodes the header segment. (*T) decodedPayload() ([]byte, error) decodedPayload base64 payload the header segment. (*T) decodedSignature() ([]byte, error) decodedPayload base64 payload the header segment. (*T) hashedContent() []byte hashedContent gets the SHA256 checksum for verification of the JWT. (*T) parsedHeader() (jwtHeader, error) parsedHeader returns a struct representing a JWT header. (*T) parsedPayload() (*Payload, error) parsedPayload returns a struct representing a JWT payload. Implements (at least 4, in which 2 are exported) *T : expvar.Var *T : fmt.Stringer /* 2+ unexporteds ... *//* 2+ unexporteds: */ *T : context.stringer *T : runtime.stringer As Outputs Of (at least one unexported) /* at least one unexported ... *//* at least one unexported: */ func parseJWT(idToken string) (*jwt, error)

type jwtHeader (struct) jwtHeader represents a parted jwt's header segment. Fields (total 3, all are exported) Algorithm string KeyID string Type string

type withCustomClaims (map) Methods (only one, which is exported) ( T) Apply(o *internal.DialSettings) Implements (at least one exported) T : google.golang.org/api/option.ClientOption

Package-Level Functions (total 16, in which 8 are exported)

func NewClient(ctx context.Context, audience string, opts ...ClientOption) (*http.Client, error) NewClient creates a HTTP Client that automatically adds an ID token to each request via an Authorization header. The token will have have the audience provided and be configured with the supplied options. The parameter audience may not be empty.

func NewTokenSource(ctx context.Context, audience string, opts ...ClientOption) (oauth2.TokenSource, error) NewTokenSource creates a TokenSource that returns ID tokens with the audience provided and configured with the supplied options. The parameter audience may not be empty.

func NewValidator(ctx context.Context, opts ...ClientOption) (*Validator, error) NewValidator creates a Validator that uses the options provided to configure a the internal http.Client that will be used to make requests to fetch JWKs.

func Validate(ctx context.Context, idToken string, audience string) (*Payload, error) Validate is used to validate the provided idToken with a known Google cert URL. If audience is not empty the audience claim of the Token is validated. Upon successful validation a parsed token Payload is returned allowing the caller to validate any additional claims.

func WithCredentialsFile(filename string) ClientOption WithCredentialsFile returns a ClientOption that authenticates API calls with the given service account or refresh token JSON credentials file.

func WithCredentialsJSON(p []byte) ClientOption WithCredentialsJSON returns a ClientOption that authenticates API calls with the given service account or refresh token JSON credentials.

func WithCustomClaims(customClaims map[string]interface{}) ClientOption WithCustomClaims optionally specifies custom private claims for an ID token.

func WithHTTPClient(client *http.Client) ClientOption WithHTTPClient returns a ClientOption that specifies the HTTP client to use as the basis of communications. This option may only be used with services that support HTTP as their communication transport. When used, the WithHTTPClient option takes precedent over all other supplied options.

/* 8 unexporteds ... *//* 8 unexporteds: */

func computeTokenSource(audience string, ds *internal.DialSettings) (oauth2.TokenSource, error) computeTokenSource checks if this code is being run on GCE. If it is, it will use the metadata service to build a TokenSource that fetches ID tokens.

func decode(s string) ([]byte, error)

func findMatchingKey(response *certResponse, keyID string) (*jwk, error)

func isServiceAccount(data []byte) error

func newCachingClient(client *http.Client) *cachingClient

func newTokenSource(ctx context.Context, audience string, ds *internal.DialSettings) (oauth2.TokenSource, error)

func parseJWT(idToken string) (*jwt, error)

func tokenSourceFromBytes(ctx context.Context, data []byte, audience string, ds *internal.DialSettings) (oauth2.TokenSource, error)

Package-Level Variables (total 2, neither is exported) /* 2 unexporteds ... *//* 2 unexporteds: */

var defaultValidator *Validator

var now func() time.Time now aliases time.Now for testing.

Package-Level Constants (total 3, none are exported) /* 3 unexporteds ... *//* 3 unexporteds: */

const es256KeySize int = 32

const googleIAPCertsURL string = "https://www.gstatic.com/iap/verify/public_key-jwk"

const googleSACertsURL string = "https://www.googleapis.com/oauth2/v3/certs"