Using googleapis_auth to validate client tokens?

[MoacirSchmidt]

I'm using google_sign_in.dart package to authenticate my flutter client app with google. After authentication I receive an idToken and an accessToken. How can I use googleapis_auth library to validate these tokens server side?

I am NOT using any google service API! I would like only to perform token validation process.

[jonasfj]

I suspect you'll want to read: https://developers.google.com/identity/sign-in/web/backend-auth

If client is sending an id_token to the server side in an authorization header your application can call the tokeninfo end-point: https://oauth2.googleapis.com/tokeninfo?id_token=<token>

import 'package:googleapis/oauth2/v2.dart';
import 'package:http/http.dart';

void main() async {
  final oauth = Oauth2Api(Client());
  final info = await oauth.tokeninfo(idToken: '<id-token from incoming request>');
  print("TODO: Check that ${info.audience} is your audience!!!");
  // Also read the other properties in the tokeninfo, and remember that
  // emails may change over time, but user_id is stable.
}

[MoacirSchmidt]

I've already read that. The article says there are some libraries to validate token without the need to another http request to google/facebook servers.

[jonasfj]

The article says there are some libraries to validate token without the need to another http request to google/facebook servers.

Yes, that's correct, unfortunately we don't seem to have the required RSA signature verification algorithm in Dart just yet.

There is a feature request for this here: https://github.com/dart-lang/tools/issues/304 (this is essential openid-connect token verification)

---

Personally, I would like to have some better crypto libraries for Dart which would make this easy to do.. But I suspect it might be a while before that happens..