-
Notifications
You must be signed in to change notification settings - Fork 311
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validating an id_token should avoid making network requests when possible #218
Comments
For reference, |
Yes. Caching the certificates was always intended, we just didn't feel the need to do it before 1.0. |
Fwiw, because we use requests users can use things like requests-cache or httpcache and it'll "just work". |
Good point! Looks like cache invalidation wouldn't be handled in the case of |
Hmm, Python HTTP library caching support looks to be all over the place. Since For Since it seems to me that it's only really practical to implement it for
I think 3 is definitely the simplest, but 2 doesn't seem that bad considering the APIs for transport initialization already differ. I guess 3 is easy enough to start with :) |
Yeah, it'd be great to start with (3), which gives us a clear implementation strategy for (2). I would definitely want cachecontrol to be an optional dependency. Do you want to take on sending a PR for (3)? I'm happy to review/help. |
Yeah 😄 already took a stab at it, was cleaning it up but got sidetracked by Thanksgiving. |
Awesome. |
Closed by #224. |
i.e.
google.oauth2.id_token.verify_oauth2_token
should cache public keys.Otherwise, there's not much benefit to using this over the
tokeninfo
endpoint, despite numerous claims in official documentation to the contrary.https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint
https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken
Since this is the flagship Google auth library for python, it would be excellent to have this implemented.
Also, it would be great to have more documentation around the usage of
verify_oauth2_token
in the project -- several documentation pages link to https://google-auth.readthedocs.io forid_token
validation, but there's no visible information about it. Copying the example code in https://developers.google.com/identity/sign-in/web/backend-auth#using-a-google-api-client-library would be a great start!p.s. I know it's way easier to ask for features than to do them -- would you be open to accepting PRs for each of these? I'd be willing to contribute the code if it'd be considered.
The text was updated successfully, but these errors were encountered: