Save id token

[OliverEvans96]

Hello!

I'm trying to use this library in a CLI with Google OAuth 2.0 using the installed flow to authenticate with my own backend. It seems like only the access token and expiration date are preserved. I'd like get the id_token as well to send to the backend, as recommended here.

The id_token shows up in my logs here

yup-oauth2/src/installed.rs

Lines 199 to 202 in 28e27b6

	let (head, body) = hyper_client.request(request).await?.into_parts();
	let body = hyper::body::to_bytes(body).await?;
	log::debug!("Received response; head: {:?} body: {:?}", head, body);
	TokenInfo::from_json(&body)

but then it seems to be discarded immediately since TokenInfo has no id_token field.

yup-oauth2/src/types.rs

Lines 58 to 66 in be4faf9

	#[derive(Clone, PartialEq, Debug, Deserialize, Serialize)]
	pub(crate) struct TokenInfo {
	/// used when authenticating calls to oauth2 enabled services.
	pub(crate) access_token: String,
	/// used to refresh an expired access_token.
	pub(crate) refresh_token: Option<String>,
	/// The time when the token expires.
	pub(crate) expires_at: Option<DateTime<Utc>>,
	}

Is this just a current limitation of the package? Beyond the scope of the package? Intentionally omitted? Am I attempting something naive?

Thanks,
Oliver

[dermesser]

I don't think this has been intentionally omitted. The package has been used mostly to talk to Google APIs with less focus on sign-in (as I believe that's what needs the ID token?).

If I understand correctly, this is a matter of updating the TokenInfo struct and its from_json() function to parse the id token. If it is optional, even better, then it should be backwards-compatible.

Without me trying to reproduce this... would you mind either adding the field yourself, testing your scenario, and sending a PR; or describing which field you would like to see from the JSON response ending up in TokenInfo?

[OliverEvans96]

I'd be happy to work up a PR when I get the chance, I just wanted to check that it would be well-received first. Thanks for the reply!

[arn-the-long-beard]

Hey !
I am working on the same thing right now !
Do you want me to contribute as well ?
I am trying to figure out how can I verify the integrity of the token once I got it on the backend from the front.

[OliverEvans96]

@arn-the-long-beard - I got distracted from this project, so I haven't actually written anything yet. If it's urgent for you now, feel free to give it a shot!

Here's the TokenInfo struct
https://github.com/dermesser/yup-oauth2/blob/master/src/types.rs#L59-L66

It seems like just adding pub id_token: Option<String> and making the corresponding edits to the from_json function immediately below should be sufficient.

I should have more time to help next week if necessary.

The id token should be a JWT, so it should be pretty straight-forward to verify it on the backend.
Here are some instructions from Google https://developers.google.com/identity/sign-in/web/backend-auth

and here are two relevant rust crates that both seem reasonably popular (I haven't tried either)

• https://crates.io/crates/jwt
• https://crates.io/crates/jsonwebtoken

[arn-the-long-beard]

Hey, I made it works just before I read your message, 😄

I used jsonwebtoken and I found out few interesting things to know as well.

Tomorrow I will try the PR I think if it is fine for you but I do not understand everything in this library yet 😛 so even if my code will work, I might need guidance to not mess up the actual crate 😆

Also the code I have is very simple, I just pass the id_token as explained in the link. I not sure to understand the TokenInfo Struct right now.