google-auth-library - 在 Python 中验证 google 的 ID token 太慢

Question

我正在用“https://developers.google.com/identity/sign-in/ios/backend-auth ”编码

token 是

eyJhbGciOiJSUzI1NiIsImtpZCI6IjI2ZmM0Y2QyM2QzODdjYmM0OTBmNjBkYjU0YTk0YTZkZDE2NTM5OTgiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2FjY291bnRzLmdvb2dsZS5jb20iLCJhenAiOiIzMjAzMTg3OTI4MTQtcXBnZ2ZscGYxNWhpN3NrbDUzbzR2aXA5cTdhb2QzOWYuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJhdWQiOiIzMjAzMTg3OTI4MTQtcXBnZ2ZscGYxNWhpN3NrbDUzbzR2aXA5cTdhb2QzOWYuYXBwcy5nb29nbGV1c2VyY29udGVudC5jb20iLCJzdWIiOiIxMDQwODQzNzYwMjYyNzczNTA0MDgiLCJlbWFpbCI6InVzNDAyNzY5NDExQDE2My5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYXRfaGFzaCI6InlicUhLQlRPVVM5ZWJwS3FHVmZmcFEiLCJpYXQiOjE1NTYxODI0MTksImV4cCI6MTU1NjE4NjAxOX0.ABE-rltHIdEfxHwVHXMpcwg1HdoKarrGEcj2gqRAtegDpjelxdqnQslcA4V7nm_mZx_eqkw54FiWeDJ0Rif39kf-hUuBMJdjD4qOzKLqUbyjLgYTy0qi5zZ4vav95K6Y-LeOGTLOGWNiak9t1a3D1y9Xvub24r0t7dU9chqAp7aZnqW_995si_6oJwlPOQCMkfmhkUm9xeYyAWNRsJN6W2rUN41oFUN8KAboUhyjgQFnOdu85KzeDbll_m-HaFYEHh5FdzUnpgt79wKNtFXPnq000EYtHa4AvhtV9MoidMQCx0g02f1PEw4VvAGsQT6MN6Z4cJH-kGl8LHxZA1dslQ

我可以从 https://oauth2.googleapis.com/tokeninfo?id_token=TOKEN 获取数据


但是当我使用 Google API 客户端库时，我发现 id_token.verify_oauth2_token得到结果太慢了。
为什么？我的代码超出了:

from google.oauth2 import id_token
from google.auth.transport import requests

GOOGLE_CLIENT_ID = '320318792814-qpggflpf15hi7skl53o4vip9q7aod39f.apps.googleusercontent.com'

def auth_google(token):
    CLIENT_ID = GOOGLE_CLIENT_ID
    try:
        # Specify the CLIENT_ID of the app that accesses the backend:
        idinfo = id_token.verify_oauth2_token(token, requests.Request(), CLIENT_ID)
        print idinfo
        # Or, if multiple clients access the backend server:
        # idinfo = id_token.verify_oauth2_token(token, requests.Request())
        # if idinfo['aud'] not in [CLIENT_ID_1, CLIENT_ID_2, CLIENT_ID_3]:
        #     raise ValueError('Could not verify audience.')

        if idinfo['iss'] not in ['accounts.google.com', 'https://accounts.google.com']:
            raise ValueError('Wrong issuer.')

        # If auth request is from a G Suite domain:
        # if idinfo['hd'] != GSUITE_DOMAIN_NAME:
        #     raise ValueError('Wrong hosted domain.')

        # ID token is valid. Get the user's Google Account ID from the decoded token.
        auth_user_id = idinfo['sub']
        print auth_user_id
        return auth_user_id
    except ValueError:
        # Invalid token
        pass

Answer 1

我不确定 Google 的 API 客户端运行速度有多慢。但是，这可能是因为它首先获取 Google 的身份验证证书(每天提交一次)。基本上，由于网络调用而不是繁重的代码，它很慢。

无论哪种方式，尽量不要自己验证 token ，JWT 很容易出错。看看google-auth在 pypi 上，它们提供了简单的身份验证助手。