/
verify.go
67 lines (56 loc) · 1.25 KB
/
verify.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
package googleidtokenverifier
import (
"crypto"
"crypto/rsa"
"crypto/sha256"
"time"
)
var googleIssuers = []string{
"accounts.google.com",
"https://accounts.google.com",
}
// Verify verifies that the token is issued by Google, and returns the claim set.
func Verify(token string, clientID string) (*ClaimSet, error) {
header, claims, toBeSigned, theirSignature, err := decodeJwtToken(token)
if err != nil {
return nil, err
}
ourSignature := func() []byte {
h := sha256.New()
h.Write(toBeSigned)
return h.Sum(nil)
}()
certs, err := listCerts()
if err != nil {
return nil, err
}
pubKey, ok := certs.Keys[header.Kid]
if !ok {
return nil, ErrPublicKeyNotFound
}
// Step 1: verify signature
if err := rsa.VerifyPKCS1v15(&pubKey, crypto.SHA256, ourSignature, theirSignature); err != nil {
return nil, err
}
// Step 2: verify aud
if claims.Aud != clientID {
return nil, ErrBadClientID
}
// Step 3: verify issuer
issuerFound := false
for _, issuer := range googleIssuers {
if issuer == claims.Iss {
issuerFound = true
break
}
}
if !issuerFound {
return nil, ErrBadIssuer
}
// Step 4: verify expiry time
expTime := time.Unix(claims.Exp, 0)
if time.Now().After(expTime) {
return nil, ErrExpired
}
return &claims, nil
}