Are you assuming Google's idToken will be signed with a specific algorithm?

[mvpmvh]

https://github.com/aubm/golang-google-sign-in/blob/master/app.go#L29

here you hard-code a signing algorithm. How do you know that is the correct algorithm?

[mvpmvh]

I'm guessing you just assumed Google will always use RSA256 based upon https://www.googleapis.com/oauth2/v3/certs