func GetGoogleUser(ctx context.Context, idToken string) (*GoogleUser, error) {
span := trace.FromContext(ctx).NewChild("trythings.google_user.GetGoogleUser")
defer span.Finish()
tok, err := jwt.ParseSigned(idToken)
if err != nil {
return nil, err
}
if len(tok.Headers) != 1 {
// We must have a header to specify a kid.
// We don't know how to handle multiple headers,
// since it's unclear which kid to use.
return nil, errors.New("expected exactly one token header")
}
keys := googleKeys.Key(tok.Headers[0].KeyID)
if len(keys) == 0 {
err := updateGoogleKeys(ctx)
if err != nil {
return nil, err
}
keys = googleKeys.Key(tok.Headers[0].KeyID)
}
if len(keys) != 1 {
// We must have a key to check the signature.
// We don't know how to deal with multiple keys matching the same kid.
return nil, errors.New("expected exactly one key matching kid")
}
key := keys[0]
var payload struct {
jwt.Claims
GoogleUser
}
err = tok.Claims(&payload, key.Key)
if err != nil {
return nil, err
}
expectedIssuer := "accounts.google.com"
if strings.HasPrefix(payload.Issuer, "https://") {
expectedIssuer = "https://accounts.google.com"
}
err = payload.Validate(jwt.Expected{
Issuer: expectedIssuer,
Audience: []string{"695504958192-8k3tf807271m7jcllcvlauddeqhbr0hg.apps.googleusercontent.com"},
Time: time.Now(),
})
if err != nil {
return nil, err
}
return &payload.GoogleUser, nil
}
func ExampleParseSigned() {
raw := `eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzdWIiOiJzdWJqZWN0In0.gpHyA1B1H6X4a4Edm9wo7D3X2v3aLSDBDG2_5BzXYe0`
tok, err := jwt.ParseSigned(raw)
if err != nil {
panic(err)
}
out := jwt.Claims{}
if err := tok.Claims(sharedKey, &out); err != nil {
panic(err)
}
fmt.Printf("iss: %s, sub: %s\n", out.Issuer, out.Subject)
// Output: iss: issuer, sub: subject
}
func ExampleJSONWebToken_Claims_map() {
raw := `eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzdWIiOiJzdWJqZWN0In0.gpHyA1B1H6X4a4Edm9wo7D3X2v3aLSDBDG2_5BzXYe0`
tok, err := jwt.ParseSigned(raw)
if err != nil {
panic(err)
}
out := make(map[string]interface{})
if err := tok.Claims(sharedKey, &out); err != nil {
panic(err)
}
fmt.Printf("iss: %s, sub: %s\n", out["iss"], out["sub"])
// Output: iss: issuer, sub: subject
}
func ExampleJSONWebToken_Claims_multiple() {
raw := `eyJhbGciOiJIUzI1NiJ9.eyJTY29wZXMiOlsiZm9vIiwiYmFyIl0sImlzcyI6Imlzc3VlciIsInN1YiI6InN1YmplY3QifQ.esKOIsmwkudr_gnfnB4SngxIr-7pspd5XzG3PImfQ6Y`
tok, err := jwt.ParseSigned(raw)
if err != nil {
panic(err)
}
out := jwt.Claims{}
out2 := struct {
Scopes []string
}{}
if err := tok.Claims(sharedKey, &out, &out2); err != nil {
panic(err)
}
fmt.Printf("iss: %s, sub: %s, scopes: %s\n", out.Issuer, out.Subject, strings.Join(out2.Scopes, ","))
// Output: iss: issuer, sub: subject, scopes: foo,bar
}
func ExampleClaims_Validate_withParse() {
raw := `eyJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzdWIiOiJzdWJqZWN0In0.gpHyA1B1H6X4a4Edm9wo7D3X2v3aLSDBDG2_5BzXYe0`
tok, err := jwt.ParseSigned(raw)
if err != nil {
panic(err)
}
cl := jwt.Claims{}
if err := tok.Claims(sharedKey, &cl); err != nil {
panic(err)
}
err = cl.Validate(jwt.Expected{
Issuer: "issuer",
Subject: "subject",
})
if err != nil {
panic(err)
}
fmt.Printf("valid!")
// Output: valid!
}
