google-jwt-signin

Crates.iogoogle-jwt-signin
lib.rsgoogle-jwt-signin
version0.5.4
created_at2024-03-24 21:36:43.089196+00
updated_at2025-06-07 15:13:03.523247+00
descriptionVerify ID tokens for Google SSO
homepage
repositoryhttps://github.com/guapodero/google-jwt-signin
max_upload_size
id1184756
size72,402
Daniel James Baumann (guapodero)

documentation

README

Google ID token verification

crates.io documentation

A simple way to authenticate users. A fork of https://crates.io/crates/google-jwt-verify focused on minimal code size.

Given a client ID and a JSON web token generated by the signin process, verifies the token using steps described here: https://developers.google.com/identity/gsi/web/reference/html-reference#server-side

Google's JSON web keys are automatically fetched and cached according to the returned Cache-Control headers. Most requests to verify a token through this library will not wait for an HTTP request.

Features

  • blocking (default) Uses ureq
  • async Uses tokio

For the sake of build simplicity, this crate chooses not to support native TLS. ring is used for SSL encryption when fetching signing keys and also for signature verification. Read about the ring security audit here.

Quick Start

//If you don't have a client id, get one from here: https://console.developers.google.com/
let client_id = "37772117408-qjqo9hca513pdcunumt7gk08ii6te8is.apps.googleusercontent.com";
let token = "...";// Obtain a signed token from Google
let client = Client::new(&client_id);
let id_token = client.verify_id_token(&token)?;
let greeting = authorize_token(&id_token);

// use authenticated token to authorize
fn authorize_token(token: &Token<IdPayload>) -> Option<String> {
    match token {
        Token {
            payload: payload @ IdPayload {
                email: Some(email), ..
            },
            ..
        } if TEST_USERS.contains(&email.as_str()) => {
            Some(format!("hello {}", payload.name.as_ref().unwrap_or(email)))
        }
        _ => None,
    }
}

Issues

Be aware that Google's Oauth implementation is not well documented. The list of test users in the Oauth consent screen does not constitute an authorization whitelist (other users will also be granted access). See this issuetracker for further details.

Development

New issues are welcome for discussion. If it's a feature request, best to agree on whether it belongs here before starting to work on a PR.

When running the tests, be sure to include the async feature: cargo test --features=async.

Commit count: 55

cargo fmt