The User ID (Subject) is not parsed from the JWT Token

[st3fan]

The JWT token has a sub (Subject) field that contains the Google Account ID. This is useful to have in endpoints since it is more stable than the email address.

[x1ddos]

@st3fan we had this discussed with @dhermes back in the days of its initial implemetation in https://github.com/GoogleCloudPlatform/go-endpoints/pull/15#commitcomment-3370515

I know it's easy to add but may confuse users. There's also an open issue on the official bug tracker of App Engine: https://code.google.com/p/googleappengine/issues/detail?id=8848

Instead, maybe we could add a new method, something like endpoints.CurrentGoogleUser, leave CurrentUser as is and document the difference between the two.

@campoy any thoughts on this?

[st3fan]

@crhym3 Yeah you are probably right. What do you think of doing something a bit more low level and instead have something like endpoints.Claims() ? That would return something like:

// Claims represents an IdToken response.
// https://developers.google.com/accounts/docs/OpenIDConnect#obtainuserinfo
type Claims struct {
    Subject             string `json:"sub"`
    Issuer              string `json:"iss"`
    Email               string `json:"email"`
    EmailVerified       bool   `json:"email_verified"`
    Audience            string `json:"aud"`
    IssuedAt            uint   `json:"iat"`
    ExpirationTime      uint   `json:"exp"`
    AccessTokenHash     string `json:"at_hash"`
    AuthorizedPresenter string `json:"azp"`
}

Then endpoints.CurrentGoogleUser can sit on top of that.

[x1ddos]

:+1: Maybe we can then also eliminate signedJWT and just use Claims.

Woud you modify #53 with Claims and CurrentGooglUser? That would be awesome.

[st3fan]

@crhym3 Sure, I can try to find a little time between Christmas and New Year to hack on that.

[campoy]

Hey @st3fan, do you have any news on this? I'll be using this package for a course soon and I would like to make sure after this the API is as stable as possible :smile:

[st3fan]

Hi @campoy .. maybe someone else can pick this up? I have abandoned the project that I was initially using this code for so it is difficult for me to work on this right now. Maybe @crhym3 has a better idea about what to do here?

[x1ddos]

Yeah, I'll take it.