Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FR: Don't require constant connectivity to Google for verifying ID tokens #661

Open
juliusv opened this issue Dec 11, 2024 · 0 comments
Open

Comments

@juliusv
Copy link

juliusv commented Dec 11, 2024

The VerifyIDToken() method on the auth Client downloads Google's signing certificates from https://www.googleapis.com/robot/v1/metadata/x509/[email protected] in the background when verifying a user ID token.

Unfortunately, in some environments, connecting to Google is either unreliable or not directly possible. In my case, my Hetzner VServer's IPs get regularly blocked by Google (see https://bsky.app/profile/juliusv.com/post/3lczuagphbs2w), although verifying Firebase tokens is the only thing my backend does in terms of external connectivity. In this kind of situation, I would really like to have more control over the downloading of these certificates, for example some alternative means of providing the certificate externally without the SDK connecting directly to Google. Then at least I can manage around the IP blocks somehow.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants