I have a Rails API with a variety of frontend clients.
I’m setting up Google Sign-in/up with OAuth2 (via Google Identity), and am having issues verifying the token that comes from Google - it seems simple with Python/Java/Node.js/PHP (see their docs), but with Ruby it is proving difficult.
For context, my basic flow is:
Authentication button gets clicked on the client.
User completes authentication with Google, who redirects the request back to my Rails API, with the user’s email and a token.
Rails API searches for existing user with that email; if they exist, we authenticate them. If not, we create a new user with that email and then authenticate them.
I’m trying to verify the token in order to make sure that the request isn’t fake, i.e. someone/something pretending to be Google.
I’ve tried hitting the endpoint directly using the jti field that comes back in the credential response from Google, i.e. https://oauth2.googleapis.com/tokeninfo?id_token=my_token_here, but it says it is invalid each time, even though I literally just received it from Google each time that I test it.
When I go to Google’s docs for verifying the token, the example for Python is extremely clear - but since there is no Ruby client, it leads me to the link “Use one of the Google API Client Libraries”, so I click on the Ruby one which takes me here, which then tells me that I should use the more modern clients. So then I bounce between those last two links, and within those GitHub repositories I’ve been unable to find anything useful.
I tried using this googleauth gem, but the only useful methods seem to be Google::Auth::IDTokens.verify_oidc(access_token) as well as Google::Auth::IDTokens.verify_iap(access_token), but both of those return saying it is an invalid token, and I’m not using OIDC (open ID connect) nor IAP (Identity-aware Proxy), as far as I know, so it makes sense that it returns as invalid.
Any help would be much appreciated - I’m sure other folks have had to verify tokens in a similar manner before using Ruby.