idtoken.NewValidator() not working with option.WithAPIKey anymore

[henrisson]

• Programming language: Go
• OS: MacOS (applies to all)
• Language runtime version: 1.19
• Package version: v106 and over

Steps to reproduce

1. Create a new Validator with an API Key option
2. Call Validate()

Example

	tokenValidator, err := idtoken.NewValidator(context.Background(), option.WithAPIKey(myGoogleAPIKey))
	if err != nil {
		// ...
	}

	payload, err := tokenValidator.Validate(context.Background(), token, c.options.GoogleClientId)
	if err != nil {
		// ...
	}

The following commit seems to have introduce the issue: b35900a

The options are appended in the ops slice, which triggers this check

Downgrading to v105 worked

[codyoss]

@henrisson Can you explain your use case why you need to pass an apikey to create a new validator? Passing nothing should work I believe.

[henrisson]

I need at least one type of credentials. Without any, I get

creating validator: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information.

Sure I could use $HOME/.config/gcloud/application_default_credentials.json but reading an API key from a config file and using options.WithAPIKey seems like a reasonable use case as well.

My understanding is that this commit broke idToken.NewValidatior() with any options that bear any kind of authentication.
I would consider this as a regression.

[codyoss]

I believe the there is no valid case to send a credential with this API. Allowing it in the first place is a bug and could lead to errors from the server. Are you getting that error with the new code? See linked issues for more details.

[henrisson]

My bad, it does work with the latest version if I remove the withAPIKey.
I somehow didn't think Google would leave the token verification API open without at least registering with a project.

My bad a sorry about noise.

[codyoss]

No worries, glad it worked!