Google-Oauth is a server-side verification library for Google oauth2.
Google-Oauth can help you to verify id_token or access_token which is generated from Google.
To import Google-Oauth to your project, please add this line into your Cargo.toml.
[dependencies]
google-oauth = { version = "1" }If you decided to use async function, please select an async runtime. Here are some options for you:
We use tokio in our example, and refactor our main function like this:
#[tokio::main]
// #[async_std::main] // when you use [async-std]
// #[actix_web::main] // when you use [actix-web]
async fn main() {}You can get your client_id from Google Admin Console (or somewhere else), and an id_token has been provided from
your user. They are all string-like. Use the following code to do verification:
use google_oauth::AsyncClient;
#[tokio::main]
async fn main() {
let client_id = "your client id";
let id_token = "the id_token";
let client = AsyncClient::new(client_id);
/// or, if you want to set the default timeout for fetching certificates from Google, e.g, 30 seconds, you can:
/// ```rust
/// let client = AsyncClient::new(client_id).timeout(time::Duration::from_sec(30));
/// ```
let payload = client.validate_id_token(id_token).await.unwrap(); // In production, remember to handle this error.
// When we get the payload, that mean the id_token is valid.
// Usually we use `sub` as the identifier for our user...
println!("Hello, I am {}", &payload.sub);
// If you have multiple client ids, you can:
let client = AsyncClient::new_with_vec(vec![client_id]);
// The validation fails when the id_token matches NONE of the provided client ids.
}Do verification without any client id
When no client_id is provided for AsyncClient, cliend_id will not be used when validating id_token. In this case, AsyncClient will accept all client_id. However, Google issuer (iss), expiration (exp) and JWT hash CAN NOT be skipped.
Sometimes, Google will return an access_token instead of id_token. Google-Oauth still provides API for validate
access_token from Google.
Note: when validating access_token, we don't matter the client_id. So if you just need to validate access_token,
you can simply pass an empty client_id, just like this:
use google_oauth::AsyncClient;
#[tokio::main]
async fn main() {
let access_token = "the access_token";
let client = AsyncClient::new("");
let payload = client.validate_access_token(access_token).await.unwrap(); // In production, remember to handle this error.
// When we get the payload, that mean the id_token is valid.
// Usually we use `sub` as the identifier for our user...
println!("Hello, I am {}", &payload.sub);
}Warning: the result of access_token is different from the result of id_token, although they have a same field sub.
For full example, please view ./example/async_client/
For validating id_token, Google may use these two kinds of hash algorithm to generate JWTs:
- RS256
- ES256
However, I cannot find any approach to get a valid ES256 token, and as a result, I remained a unimplemented branch,
and return an Err if the JWT is ES256 hashed.
Feel free to create a new issue if you have an example. PR is welcome.
Google-Oauth also provides a blocking client. You need to enable blocking feature:
[dependencies]
google-oauth = { version = "1", features = ["blocking"] }You can use google_oauth::Client to validate tokens:
use google_oauth::Client;
fn main() {
let client_id = "your client id";
let id_token = "the id_token";
let client = Client::new(client_id);
let payload = client.validate_id_token(id_token).unwrap();
println!("Hello, I am {}", &payload.sub);
}For full example, please view ./examples/blocking/
Google-Oauth supports wasm, feature wasm is required.
[dependencies]
google-oauth = { version = "1", features = ["wasm"] }You can build this library with wasm-pack build --features wasm. (cargo install wasm-pack to install first.)
If you need to import wasm into your project, you can use google_oauth::Client to run async functions.
default: enableAsyncClient.blocking: enableClient.wasm: disableAsyncClientandClient(blocking), enableClient(wasm).reqwest-rustls: use rustls as the TLS backend of the Reqwest client