Validating an id_token should avoid making network requests when possible #218
Description
i.e. google.oauth2.id_token.verify_oauth2_token should cache public keys.
Otherwise, there's not much benefit to using this over the tokeninfo endpoint, despite numerous claims in official documentation to the contrary.
https://developers.google.com/identity/sign-in/web/backend-auth#calling-the-tokeninfo-endpoint
Calling [the tokeninfo] endpoint involves an additional network request that does most of the validation for you, but introduces some latency and the potential for network errors.
https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken
[Using the tokeninfo endpoint] involves an HTTP round trip, introducing latency and the potential for network breakage. The tokeninfo endpoint is useful for debugging but for production purposes, we recommend that you retrieve Google’s public keys from the keys endpoint and perform the validation locally.
Since Google changes its public keys only infrequently (on the order of once per day), you can cache them [...] Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this.
Since this is the flagship Google auth library for python, it would be excellent to have this implemented.
Also, it would be great to have more documentation around the usage of verify_oauth2_token in the project -- several documentation pages link to https://google-auth.readthedocs.io for id_token validation, but there's no visible information about it. Copying the example code in https://developers.google.com/identity/sign-in/web/backend-auth#using-a-google-api-client-library would be a great start!
p.s. I know it's way easier to ask for features than to do them -- would you be open to accepting PRs for each of these? I'd be willing to contribute the code if it'd be considered.