omniauth-google-id-token

I haven't update readme yet, please read source make sure you use right option.

lib/omniauth/strategies/google_id_token.rb

OmniAuth::GoogleIdToken

A omnitauth strategy primarily used for validating Google ID tokens (JWT encoded) generated by Google authentication servers. As with other Omniauth strategies, it can also redirect to Google's Sign In page.

As a validation strategy only this used by backend servers to validate Google ID tokens (Google authenticated users) passed on by mobile or webapps e.g. ios, Android, websites.

This makes use of google-id-token for validating the ID token.

Installation

Add this line to your application's Gemfile:

gem 'omniauth-google-id-token'

And then execute:

$ bundle

Or install it yourself as:

$ gem install omniauth-google-id-token

Usage

You use OmniAuth::Strategies::GoogleIdToken just like you do any other OmniAuth strategy:

Rails.application.config.middleware.use OmniAuth::Builder do
  provider :developer, :callback_path => "/nexus-api/auth/developer/callback", provider_ignores_state: true if Rails.env.development?
  # provider :google-oauth2, ENV['GOOGLE_CLIENT_ID'], ENV['GOOGLE_CLIENT_SECRET'], scope: 'email, profile', provider_ignores_state: true , :callback_path => "/nexus-api/auth/google-oauth2/callback"
    
  
  provider :'google-id-token', client_id: ENV['GOOGLE_CLIENT_ID']
  # or
  # to rename the provider
  use OmniAuth::Strategies::GoogleIdToken,name: "google-oauth2",  client_id: ENV['GOOGLE_CLIENT_ID']
  
  
end

OmniAuth.config.allowed_request_methods = %i[get post]

If this strategy is used primarily for validating a Google ID token, then the only required fields are aud_claim and azp_claim.

If this strategy is also used for redirecting a user to the Google Sign In page before validation, then a client_id is also required. An example of the URL can be found at https://developers.google.com/identity/protocols/OAuth2WebServer#handlingresponse Sample OAuth 2.0 server response section.

• name: The name of the strategy. The default name is google_id_token but it can be changed to any value, for example google. The OmniAuth URL will thus change to /auth/google and the provider key in the auth hash will then return google.
• uid_claim: this determines which claim will be used to uniquely identify the user. Defaults to sub
• client_id: The client ID string that you obtain from the API Console, as described in Obtain OAuth 2.0 credentials
• required_claims: array of claims that are required to make this a valid authentication call. Defaults to ['name', 'email']
• scope: array of request data in google api. Defaults to ['name', 'email', 'openid']
• info_map: array mapping claim values to info hash values. Defaults to mapping name and email to the same in the info hash.

Authentication Process

When you authenticate through omniauth-google-id-token you can send users to /auth/google-id-token and it will redirect them to the URL https://accounts.google.com/o/oauth2/auth (and example can be found at https://developers.google.com/identity/protocols/OAuth2WebServer#handlingresponse Sample OAuth 2.0 server response).

From there, Google generates a ID token and sends to the redirect_uri passed in URL query params. The redirect_uri will look like '/auth/google-id-token/callback`. This is the endpoint to send the id token to if coming from a mobile or web app looking to validate a user with the backend server:

/auth/google-id-token/callback?id_token=ENCODEDJWTGOESHERE

Contributing

• Fork it
• Create your feature branch (git checkout -b my-new-feature)
• Commit your changes (git commit -am 'Add some feature')
• Push to the branch (git push origin my-new-feature)
• Create new Pull Request