FR: Don't require constant connectivity to Google for verifying ID tokens

[juliusv]

The VerifyIDToken() method on the auth Client downloads Google's signing certificates from https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com in the background when verifying a user ID token.

Unfortunately, in some environments, connecting to Google is either unreliable or not directly possible. In my case, my Hetzner VServer's IPs get regularly blocked by Google (see https://bsky.app/profile/juliusv.com/post/3lczuagphbs2w), although verifying Firebase tokens is the only thing my backend does in terms of external connectivity. In this kind of situation, I would really like to have more control over the downloading of these certificates, for example some alternative means of providing the certificate externally without the SDK connecting directly to Google. Then at least I can manage around the IP blocks somehow.

[adigunsherif]

Facing similar issues on my server. Any luck?
Could not fetch certificates at https://www.googleapis.com/robot/v1/metadata/x509/securetoken@system.gserviceaccount.com

[juliusv]

@adigunsherif I ended up just reimplementing the verification method myself in a way that caches the public keys, but also has hardcoded fallback keys in case the keys are not in the cache yet, but the fetch fails. Here's the file (part of a gin middleware in my case) that handles this for me, in case you're curious: https://gist.github.com/juliusv/c6d8bf5df04998a01e224bb93a77927a