Validating Google sign in ID token in Rust

Question

I'm interested in validating a Google ID token that is returned upon a successful Google Sign In attempt. I have a Rust based webapp where I:

Offer Google Sign in via Javascript, upon successful authentication, I get back, among other things, a Google ID token.
My Javascript code submits this Google ID token to my backend server (written in Rust) along with other info (i.e. user's account ID, current email etc).
I'd like to verify the integrity of this ID token via the directions cited in Google's official docs https://developers.google.com/identity/sign-in/web/backend-auth before I can "trust" that the submitted user's info (i.e. user's account ID, current email etc) is valid and is not a malicious request.
Example of what I'd like to achieve: Validate Google Id Token

What I've tried:

Thus far, I've attempt to use https://lib.rs/crates/google-signin with no luck, as I get the following error when attempting to use it as a dep:

cargo check
    Updating crates.io index
error: failed to select a version for the requirement `untrusted = "^0.5"`
candidate versions found which didn't match: 0.7.1, 0.7.0, 0.6.2
location searched: crates.io index
required by package `webpki-roots v0.10.0`
    ... which is depended on by `hyper-rustls v0.6.0`
    ... which is depended on by `google-signin v0.3.0`
    ... which is depended on by `<my project> v0.0.1 (<my project>)`

it appears that the crate's link to the repo is broken, so no ability to submit an Issue.

I've tried https://github.com/Byron/google-apis-rs but I can't seem to find useable code in the generated output.

What are folks using to validate ID tokens in Rust?

This Issue perfectly sums up what I am trying to do. https://github.com/Byron/google-apis-rs/issues/182 — seenickcode, Apr 26 '21 at 02:11
https://github.com/wyyerd/google-signin-rs here is the link to the repo of the first crate. It looks pretty dead and there's an issue stating the same problems regarding `untrusted` — sebpuetz, Apr 26 '21 at 07:51

score 1 · Answer 1 · answered Jul 15 '21 at 07:54

Unfortunately there is no official sdk for rust, and those 2 are also not good anyways since they use token retrospection endpoint to validate, so you will have a latency on each token validation.

Its better to fetch&cache jwks and validate locally, the best crate which I've found so far is https://crates.io/crates/jwks-client . I'm interested in Firebase ID tokens so the jwks url for that is https://www.googleapis.com/service_accounts/v1/jwk/securetoken@system.gserviceaccount.com . It works fine but has some critical limitations:

it does not auto-refresh keys, so you would need to implement a daemon which would fetch keys periodically. This is very important since from my experience google does rotate jwks quite often.
its not thread-safe, since underlying key store is a simple vector, so you would need to extend it a bit

Also https://medium.com/@maylukas/firebase-token-authentication-in-rust-a1885f0982df seems to be a pretty informative guide

Validating Google sign in ID token in Rust

1 Answers1