I have setup a hangout chat bot and trying to verify that the request is coming from Google and is intended for the target bot. As per google documentation, it says you can verify using BEARER_TOKEN and "CHAT_ISSUER = 'chat@system.gserviceaccount.com" with the public key as below in python.
token = client.verify_id_token(
BEARER_TOKEN, AUDIENCE, cert_uri=PUBLIC_CERT_URL_PREFIX + CHAT_ISSUER)
However the BEARER token is not static in each POST request header, I can decode the BEARER token(JWT) and get the "KID" which is same in every case. I'm not quite sure how to verify with the "kid" and CHAT_ISSUER, etc in python. Can someone help here ?
