This is the Go client library for Google Identity Toolkit services. Documentation at http://godoc.org/github.com/google/identity-toolkit-go-client/gitkit
The gitkit
package provides convenient utilities for websites to integrate
with the Google Identity Toolkit service.
See more at https://developers.google.com/identity-toolkit
To use Identity Toolkit Go client:
// ClientID is the OAuth2 web client ID for your server.
const clientID string = "123.apps.googleusercontent.com"
var client *gitkit.Client
func handleSignIn(w http.ResponseWriter, r *http.Request) {
// If there is no valid session, check identity tookit ID token.
ts := client.TokenFromRequest(r)
token, err := client.ValidateToken(context.Background(), ts, []string{clientID})
if err != nil {
// Not a valid token. Handle error.
}
// Token is valid and it contains the user account information
// including user ID, email address, etc.
// Issue your own session cookie to finish the sign in.
}
func main() {
// Provide configuration. gitkit.LoadConfig() can also be used to load
// the configuration from a JSON file.
config := &gitkit.Config{
WidgetURL: "http://localhost/gitkit",
CookieName: "gtoken",
}
var err error
client, err = gitkit.New(context.Background(), config)
if err != nil {
// Handle error.
}
// Provide HTTP handler.
http.HandleFunc("/signIn", handleSignIn)
// Start the server.
log.Fatal(http.ListenAndServe(":8080", nil))
}
The integration with Google App Engine is similar except for the context
variable should be created from the request, i.e., appengine.NewContext(r)
:
// ClientID is the OAuth2 web client ID for your server.
const clientID string = "123.apps.googleusercontent.com"
var client *gitkit.Client
func handleSignIn(w http.ResponseWriter, r *http.Request) {
// If there is no valid session, check identity tookit ID token.
ts := client.TokenFromRequest(r)
token, err := client.ValidateToken(appengine.NewContext(r), ts, []string{clientID})
if err != nil {
// Not a valid token. Handle error.
}
// Token is valid and it contains the user account information
// including user ID, email address, etc.
// Issue your own session cookie to finish the sign in.
}
func init() {
// Provide configuration. gitkit.LoadConfig() can also be used to load
// the configuration from a JSON file.
config := &gitkit.Config{
WidgetURL: "http://localhost/gitkit",
CookieName: "gtoken",
}
// Set the JSON key file path if running dev server in local.
if appengine.IsDevAppServer() {
config.GoogleAppCredentialsPath = googleAppCredentialsPath
}
var err error
client, err = gitkit.New(context.Background(), config)
if err != nil {
// Handle error.
}
// Provide HTTP handler.
http.HandleFunc("/signIn", handleSignIn)
// Start the server.
log.Fatal(http.ListenAndServe(":8080", nil))
}
The client also provides other methods to help manage user accounts, for example,
To validate the token and also fetch the account information from the identity toolkit service:
user, err := client.UserByToken(ctx, token, []string{clientID})
or:
user, err := client.UserByEmail(ctx, email)
or:
user, err := client.UserByLocalID(ctx, localID)
To update, or delete the account information of a user:
err := client.UpdateUser(ctx, user)
err := client.DeleteUser(ctx, user)
The Go client uses Google Application Default Credentials to access authentication required Identity Toolkit API. The credentials returned are determined by the environment the code is running in. Conditions are checked in the following order:
- The environment variable
GOOGLE_APPLICATION_CREDENTIALS
is checked. If this variable is specified it should point to a file that defines the credentials. The simplest way to get a credential for this purpose is to create a service account using the Google Developers Console in the section APIs & Auth, in the sub-section Credentials. Create a service account or choose an existing one and select Generate new JSON key. Set the environment variable to the path of the JSON file downloaded. - If you have installed the Google Cloud SDK on your machine and have run the command gcloud auth login, your identity can be used as a proxy to test code calling APIs from that machine.
- If you are running in Google App Engine production, the built-in service account associated with the application will be used.
- If you are running in Google Compute Engine production, the built-in service account associated with the virtual machine instance will be used.
- If none of these conditions is true, an error will occur.
If Application Default Credentials doesn't work for your use case, you can
set GoogleAppCredentialsPath
in the config to the JSON key file path.