Attempt to exchange Google's authorization code when given one instea…

…d of as a JWT

go.mod

@@ -24,6 +24,7 @@ require (
  go.uber.org/atomic v1.10.0
  go.uber.org/zap v1.23.0
  golang.org/x/crypto v0.0.0-20221012134737-56aed061732a
+ golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094
  google.golang.org/genproto v0.0.0-20220822174746-9e6da59bd2fc
  google.golang.org/grpc v1.50.0
  google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.2.0
@@ -33,6 +34,7 @@ require (
 )
 
 require (
+ cloud.google.com/go v0.81.0 // indirect
  github.com/RoaringBitmap/roaring v0.9.4 // indirect
  github.com/axiomhq/hyperloglog v0.0.0-20191112132149-a4c4c47bc57f // indirect
  github.com/beorn7/perks v1.0.1 // indirect
@@ -50,7 +52,7 @@ require (
  github.com/dgryski/go-metro v0.0.0-20180109044635-280f6062b5bc // indirect
  github.com/dlclark/regexp2 v1.7.0 // indirect
  github.com/felixge/httpsnoop v1.0.1 // indirect
- github.com/go-gorp/gorp/v3 v3.0.2 // indirect
+ github.com/go-gorp/gorp/v3 v3.1.0 // indirect
  github.com/go-sourcemap/sourcemap v2.1.3+incompatible // indirect
  github.com/golang/glog v1.0.0 // indirect
  github.com/golang/protobuf v1.5.2 // indirect
@@ -72,6 +74,7 @@ require (
  github.com/twmb/murmur3 v1.1.6 // indirect
  go.uber.org/multierr v1.6.0 // indirect
  golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e // indirect
- golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d // indirect
+ golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43 // indirect
  golang.org/x/text v0.3.7 // indirect
+ google.golang.org/appengine v1.6.7 // indirect
 )

go.sum

@@ -17,6 +17,7 @@ cloud.google.com/go v0.72.0/go.mod h1:M+5Vjvlc2wnp6tjzE102Dw08nGShTscUx2nZMufOKP
 cloud.google.com/go v0.74.0/go.mod h1:VV1xSbzvo+9QJOxLDaJfTjx5e+MePCpCWwvftOeQmWk=
 cloud.google.com/go v0.78.0/go.mod h1:QjdrLG0uq+YwhjoVOLsS1t7TW8fs36kLs4XO5R5ECHg=
 cloud.google.com/go v0.79.0/go.mod h1:3bzgcEeQlzbuEAYu4mrWhKqWjmpprinYgKJLgKHnbb8=
+cloud.google.com/go v0.81.0 h1:at8Tk2zUz63cLPR0JPWm5vp77pEZmzxEQBEfRKn1VV8=
 cloud.google.com/go v0.81.0/go.mod h1:mk/AM35KwGk/Nm2YSeZbxXdrNK3KZOYHmLkOqC2V6E0=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
@@ -158,6 +159,8 @@ github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gorp/gorp/v3 v3.0.2 h1:ULqJXIekoqMx29FI5ekXXFoH1dT2Vc8UhnRzBg+Emz4=
 github.com/go-gorp/gorp/v3 v3.0.2/go.mod h1:BJ3q1ejpV8cVALtcXvXaXyTOlMmJhWDxTmncaR6rwBY=
+github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs=
+github.com/go-gorp/gorp/v3 v3.1.0/go.mod h1:dLEjIyyRNiXvNZ8PSmzpt1GsWAUK8kjVhEpjH8TixEw=
 github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
 github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@@ -169,6 +172,7 @@ github.com/go-sourcemap/sourcemap v2.1.3+incompatible/go.mod h1:F8jJfvm2KbVjc5Nq
 github.com/go-sql-driver/mysql v1.4.1/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs=
 github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=
+github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU=
 github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs=
@@ -369,6 +373,7 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
 github.com/kr/pretty v0.3.0 h1:WgNl7dwNpEZ6jJ9k1snq4pZsg7DOEN8hP9Xw0Tsjwk0=
 github.com/kr/pretty v0.3.0/go.mod h1:640gp4NfQd8pI5XOwp5fnNeVWj67G7CFk/SaSQn7NBk=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
@@ -382,6 +387,7 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.0/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.2 h1:AqzbZs4ZoCBp+GtejcpCpcxM3zlSMx29dXbUSeVtJb8=
 github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/lib/pq v1.10.7 h1:p7ZhMD+KsSRozJr34udlUrhboJwWAgCg34+/ZZNvZZw=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.5/go.mod h1:y3VJvCyxH9uVvJTWEGAELF3aiYNyPKd5NZ3oSwXrF60=
 github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI=
@@ -402,6 +408,7 @@ github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m
 github.com/mattn/go-sqlite3 v1.11.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
 github.com/mattn/go-sqlite3 v1.14.14 h1:qZgc/Rwetq+MtyE18WhzjokPD93dNqLGNT3QJuLvBGw=
 github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
+github.com/mattn/go-sqlite3 v1.14.15 h1:vfoHhTN1af61xCRSWzFIWzx2YskyMTwHLrExkBOjvxI=
 github.com/matttproud/golang_protobuf_extensions v1.0.1 h1:4hp9jkHxhMHkqkrB3Ix0jegS5sx/RkqARlsWZ6pIwiU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
@@ -440,6 +447,7 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI=
 github.com/poy/onpar v0.0.0-20190519213022-ee068f8ea4d1 h1:oL4IBbcqwhhNWh31bjOX8C/OCy0zs9906d/VUru+bqg=
 github.com/poy/onpar v0.0.0-20190519213022-ee068f8ea4d1/go.mod h1:nSbFQvMj97ZyhFRSJYtut+msi4sOY6zJDGCdSc+/rZU=
+github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY=
 github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw=
 github.com/prometheus/client_golang v1.0.0/go.mod h1:db9x61etRT2tGnBNRi70OPL5FsnadC4Ky3P0J6CfImo=
 github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP4j5+D6mVACh+pe2M=
@@ -676,6 +684,8 @@ golang.org/x/oauth2 v0.0.0-20210220000619-9bb904979d93/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210313182246-cd4f82c27b84/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210402161424-2e8d93401602/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
+golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 h1:2o1E+E8TpNLklK9nHiPiK1uzIYrIHt+cQx3ynCwq9V8=
+golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -749,6 +759,8 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d h1:Zu/JngovGLVi6t2J3nmAf3AoTDwuzw85YZ3b9o4yU7s=
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43 h1:OK7RB6t2WQX54srQQYSXMW8dF5C6/8+oA/s5QBmmto4=
+golang.org/x/sys v0.0.0-20221013171732-95e765b1cc43/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
@@ -864,6 +876,7 @@ google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7
 google.golang.org/appengine v1.6.1/go.mod h1:i06prIuMbXzDqacNJfV5OdTW448YApPu5ww/cMBSeb0=
 google.golang.org/appengine v1.6.5/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/appengine v1.6.6/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
 google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=

main.go

@@ -40,6 +40,8 @@ import (
  _ "github.com/jackc/pgx/v4/stdlib"
  "go.uber.org/zap"
  "go.uber.org/zap/zapcore"
+ "golang.org/x/oauth2"
+ "golang.org/x/oauth2/google"
  "google.golang.org/protobuf/encoding/protojson"
 )
 
@@ -132,8 +134,18 @@ func main() {
  // Check migration status and fail fast if the schema has diverged.
  migrate.StartupCheck(startupLogger, db)
 
+ var googleAuthConf *oauth2.Config
+
+ if config.GetGoogleAuth() != nil && config.GetGoogleAuth().CrendentialsJSON != "" {
+ cnf, err := google.ConfigFromJSON([]byte(config.GetGoogleAuth().CrendentialsJSON))
+ if err != nil {
+ startupLogger.Fatal("Failed to parse Google's crendentials JSON", zap.Error(err))
+ }
+ googleAuthConf = cnf
+ }
+
  // Access to social provider integrations.
- socialClient := social.NewClient(logger, 5*time.Second)
+ socialClient := social.NewClient(logger, 5*time.Second, googleAuthConf)
 
  // Start up server components.
  cookie := newOrLoadCookie(config)

server/config.go

@@ -47,6 +47,7 @@ type Config interface {
  GetLeaderboard() *LeaderboardConfig
  GetMatchmaker() *MatchmakerConfig
  GetIAP() *IAPConfig
+ GetGoogleAuth() *GoogleAuthConfig
 
  Clone() (Config, error)
 }
@@ -440,6 +441,7 @@ type config struct {
  Leaderboard *LeaderboardConfig `yaml:"leaderboard" json:"leaderboard" usage:"Leaderboard settings."`
  Matchmaker *MatchmakerConfig `yaml:"matchmaker" json:"matchmaker" usage:"Matchmaker settings."`
  IAP *IAPConfig `yaml:"iap" json:"iap" usage:"In-App Purchase settings."`
+ GoogleAuth *GoogleAuthConfig `yaml:"google_auth" json:"google_auth" usage:"Google's auth settings."`
 }
 
 // NewConfig constructs a Config struct which represents server settings, and populates it with default values.
@@ -465,6 +467,7 @@ func NewConfig(logger *zap.Logger) *config {
  Leaderboard: NewLeaderboardConfig(),
  Matchmaker: NewMatchmakerConfig(),
  IAP: NewIAPConfig(),
+ GoogleAuth: nil,
  }
 }
 
@@ -482,6 +485,10 @@ func (c *config) Clone() (Config, error) {
  configLeaderboard := *(c.Leaderboard)
  configMatchmaker := *(c.Matchmaker)
  configIAP := *(c.IAP)
+ var configGoogleAuth GoogleAuthConfig
+ if c.GoogleAuth != nil {
+ configGoogleAuth = *(c.GoogleAuth)
+ }
  nc := &config{
  Name: c.Name,
  Datadir: c.Datadir,
@@ -499,6 +506,7 @@ func (c *config) Clone() (Config, error) {
  Leaderboard: &configLeaderboard,
  Matchmaker: &configMatchmaker,
  IAP: &configIAP,
+ GoogleAuth: &configGoogleAuth,
  }
  nc.Socket.CertPEMBlock = make([]byte, len(c.Socket.CertPEMBlock))
  copy(nc.Socket.CertPEMBlock, c.Socket.CertPEMBlock)
@@ -589,6 +597,10 @@ func (c *config) GetIAP() *IAPConfig {
  return c.IAP
 }
 
+func (c *config) GetGoogleAuth() *GoogleAuthConfig {
+ return c.GoogleAuth
+}
+
 // LoggerConfig is configuration relevant to logging levels and output.
 type LoggerConfig struct {
  Level string `yaml:"level" json:"level" usage:"Log level to set. Valid values are 'debug', 'info', 'warn', 'error'. Default 'info'."`
@@ -997,3 +1009,7 @@ type IAPHuaweiConfig struct {
  ClientID string `yaml:"client_id" json:"client_id" usage:"Huawei OAuth client secret."`
  ClientSecret string `yaml:"client_secret" json:"client_secret" usage:"Huawei OAuth app client secret."`
 }
+
+type GoogleAuthConfig struct {
+ CrendentialsJSON string `yaml:"crendentials_json" json:"crendentials_json" usage:"Google's Access Crendentials."`
+}

server/console_config.go

@@ -52,6 +52,8 @@ func (s *ConsoleServer) GetConfig(ctx context.Context, in *emptypb.Empty) (*cons
  }
  }
 
+ cfg.GetGoogleAuth().CrendentialsJSON = ObfuscationString
+
  cfgBytes, err := json.Marshal(cfg)
  if err != nil {
  s.logger.Error("Error encoding config.", zap.Error(err))

server/core_link.go

@@ -330,12 +330,12 @@ AND (NOT EXISTS
  return nil
 }
 
-func LinkGoogle(ctx context.Context, logger *zap.Logger, db *sql.DB, socialClient *social.Client, userID uuid.UUID, token string) error {
- if token == "" {
+func LinkGoogle(ctx context.Context, logger *zap.Logger, db *sql.DB, socialClient *social.Client, userID uuid.UUID, idToken string) error {
+ if idToken == "" {
  return status.Error(codes.InvalidArgument, "Google access token is required.")
  }
 
- googleProfile, err := socialClient.CheckGoogleToken(ctx, token)
+ googleProfile, err := socialClient.CheckGoogleToken(ctx, idToken)
  if err != nil {
  logger.Info("Could not authenticate Google profile.", zap.Error(err))
  return status.Error(codes.Unauthenticated, "Could not authenticate Google profile.")
@@ -367,7 +367,7 @@ AND (NOT EXISTS
  googleProfile.Sub, displayName, avatarURL)
 
  if err != nil {
- logger.Error("Could not link Google ID.", zap.Error(err), zap.Any("input", token))
+ logger.Error("Could not link Google ID.", zap.Error(err), zap.Any("input", idToken))
  return status.Error(codes.Internal, "Error while trying to link Google ID.")
  } else if count, _ := res.RowsAffected(); count == 0 {
  return status.Error(codes.AlreadyExists, "Google ID is already in use.")

social/social.go

@@ -37,6 +37,7 @@ import (
 
  jwt "github.com/golang-jwt/jwt/v4"
  "go.uber.org/zap"
+ "golang.org/x/oauth2"
 )
 
 // Client is responsible for making calls to different providers
@@ -56,6 +57,8 @@ type Client struct {
  appleMutex sync.RWMutex
  appleCerts map[string]*JwksCert
  appleCertsRefreshAt int64
+
+ config *oauth2.Config
 }
 
 type JwksCerts struct {
@@ -163,13 +166,15 @@ type SteamProfileWrapper struct {
 }
 
 // NewClient creates a new Social Client
-func NewClient(logger *zap.Logger, timeout time.Duration) *Client {
+func NewClient(logger *zap.Logger, timeout time.Duration, googleCnf *oauth2.Config) *Client {
  return &Client{
  logger: logger,
 
  client: &http.Client{
  Timeout: timeout,
  },
+
+ config: googleCnf,
  }
 }
 
@@ -272,6 +277,20 @@ func (c *Client) ExtractFacebookInstantGameID(signedPlayerInfo string, appSecret
  return payload.PlayerID, nil
 }
 
+func (c *Client) exchangeGoogleAuthCode(ctx context.Context, authCode string) (*oauth2.Token, error) {
+ if c.config == nil {
+ return nil, fmt.Errorf("failed to exchange authorization code due to due misconfiguration")
+ }
+
+ token, err := c.config.Exchange(ctx, authCode)
+ if err != nil {
+ c.logger.Debug("Failed to exchange authorization code for a token.", zap.Error(err))
+ return nil, fmt.Errorf("failed to exchange authorization code for a token")
+ }
+
+ return token, nil
+}
+
 // CheckGoogleToken extracts the user's Google Profile from a given ID token.
 func (c *Client) CheckGoogleToken(ctx context.Context, idToken string) (*GoogleProfile, error) {
  c.logger.Debug("Checking Google ID", zap.String("idToken", idToken))
@@ -338,10 +357,12 @@ func (c *Client) CheckGoogleToken(ctx context.Context, idToken string) (*GoogleP
  if s, ok := token.Method.(*jwt.SigningMethodRSA); !ok || s.Hash != crypto.SHA256 {
  return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
  }
+
  claims := token.Claims.(jwt.MapClaims)
  if !claims.VerifyIssuer("accounts.google.com", true) && !claims.VerifyIssuer("https://accounts.google.com", true) {
  return nil, fmt.Errorf("unexpected issuer: %v", claims["iss"])
  }
+
  return cert, nil
  })
  if err == nil {
@@ -352,7 +373,16 @@ func (c *Client) CheckGoogleToken(ctx context.Context, idToken string) (*GoogleP
 
  // All verification attempts failed.
  if token == nil {
- return nil, errors.New("google id token invalid")
+ // The id provided could be from the new auth flow. Let's exchahge it for a token.
+ t, err := c.exchangeGoogleAuthCode(ctx, idToken)
+ if err != nil {
+ c.logger.Debug("Failed to exchange a authorization code for an access token.", zap.String("auth_token", idToken), zap.Error(err))
+ return nil, errors.New("google id token invalid")
+ }
+
+ c.logger.Debug("Exchanged a authorization code for an access token.", zap.Any("token", t), zap.Error(err))
+ // TODO user info retrieval using the access token.
+ return nil, nil
  }
 
  claims := token.Claims.(jwt.MapClaims)