google-api-nodejs-client JWT Verification

[ryancampag]

Hangouts chat has recently switched over to sending JWT tokens for authorization in HTTP requests that are dispatch to bots, and are encouraging their users to migrate to using these instead of the static tokens they had before.

There are a couple of samples for the Java and Python clients located in the dev docs here: https://developers.google.com/hangouts/chat/how-tos/bots-develop#verifying_bot_authenticity

I can't figure out how to do what we're doing in Node.js, without manually querying for public keys, handling the tokens key-id, etc.

Specifically, the Java and Python libraries both support a URL input for the issuer. This is especially useful in our case for 2 reasons: 1) We aren't verifying against Google's token, but a service account, and 2) The service account has multiple keys, dependent on the key id (kid) in the token headers

So then my questions are: 1) Is this already supported in the node.js client, and I'm just missing it? 2) If not, are there plans for feature parity with the Java/Python OAuth2 libraries, or should we try to construct a sample that manually fetches the keys, compares the key id to get the right key, etc.

Thanks for your thoughts!

[martinlarosa]

I would like to also know the answer to this, I'm stuck trying to integrate a botkit bot with hangouts because of this. Any luck @ryancampag ?

[ryancampag]

I haven't personally written a successful solution to this. However, you could just query the public key and handle the kid field manually. It doesn't seem like there's support for this in the nodejs client at this point.

[martinlarosa]

Is there a chance that you could point me to an example of how to do this? Or a lead on what to investigate. I'm not very familiar with this.

[fhinkel]

Greetings, we're closing this due to inactivity. Please let us know if the issue needs to be reopened.

[shlasouski]

Please read Verifying Google Chat request in NodeJS post. I would greatly appreciate any feedback!