id_token 是一个 jwt。我首先使用validating-google-sign-in-id-token-in-go 来检查令牌是否有效。
authService, err := oauth2.New(http.DefaultClient)
if err != nil {
return err
}
// check token is valid
tokenInfoCall := authService.Tokeninfo()
tokenInfoCall.IdToken(idToken)
ctx, cancelFunc := context.WithTimeout(context.Background(), 1*time.Minute)
defer cancelFunc()
tokenInfoCall.Context(ctx)
tokenInfo, er := tokenInfoCall.Do()
if err != nil {
// invalid token
}
然后我将id_token解析为jwt,将payload解码为json。
token, _, err := new(jwt.Parser).ParseUnverified(idToken, &TokenInfo{})
if tokenInfo, ok := token.Claims.(*TokenInfo); ok {
return tokenInfo, nil
} else {
// parse token.payload failed
}
// TokenInfo struct
type TokenInfo struct {
Iss string `json:"iss"`
// userId
Sub string `json:"sub"`
Azp string `json:"azp"`
// clientId
Aud string `json:"aud"`
Iat int64 `json:"iat"`
// expired time
Exp int64 `json:"exp"`
Email string `json:"email"`
EmailVerified bool `json:"email_verified"`
AtHash string `json:"at_hash"`
Name string `json:"name"`
GivenName string `json:"given_name"`
FamilyName string `json:"family_name"`
Picture string `json:"picture"`
Local string `json:"locale"`
jwt.StandardClaims
}
类似的值:
{
// These six fields are included in all Google ID Tokens.
"iss": "https://accounts.google.com",
"sub": "110169484474386276334",
"azp": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"aud": "1008719970978-hb24n2dstb40o45d4feuo2ukqmcc6381.apps.googleusercontent.com",
"iat": "1433978353",
"exp": "1433981953",
// These seven fields are only included when the user has granted the "profile" and
// "email" OAuth scopes to the application.
"email": "testuser@gmail.com",
"email_verified": "true",
"name" : "Test User",
"picture": "https://lh4.googleusercontent.com/-kYgzyAWpZzJ/ABCDEFGHI/AAAJKLMNOP/tIXL9Ir44LE/s99-c/photo.jpg",
"given_name": "Test",
"family_name": "User",
"locale": "en"
}
然后我得到图片。