[asymptosis]

I don't think you're being clear on all the details. You say this:

> I just want to validate one user.

This is important enough to you that you say it multiple times.

And yet, if I have just a single user, I can validate them easily: we agree on terms for exchanging auth info as a one-off, job done. I might agree to meet them in person and they show me their driver's license, or whatever. The details are irrelevant: we just use whatever we agree verifies this person.

I think that, just perhaps, you might have more than one user, and you're trying to scale this.

So, where are the details?

How much are you trying to scale, and what are the constraints around privacy and so forth.

You can't just say "I want a cheap perfect auth system with no constraints except for some hidden constraints which I'll explain later."

[yashg]

Of course I am not trying to validate just one user. But all I want to do is authenticate the token that Google has posted back on my auth endpoint and make sure 1) It has come from Google 2) Allows me to fetch a user's data (just email) so I know whose account I have to show.

I can write my own authentication using a simple username, hashed password in php easily. I just don't want my user to remember yet one more password for yet another service on the web.