Validate Google Auth ID Token on CF Workers

I am having a hard time with Google Auth ID token verification on CF workers.

I have a static website with a backend running on CF workers. One of the log in options on the website is Google OAuth. After the successful sign-in on the browser side, I need to pass the token to my worker and validate the token there. Google recommends using their library for that kind of situation, but their NodeJS lib doesn’t work on CF workers.

Google states that this can be achieved using a general-purpose JWT library. I found an article describing the token verification flow, but their solution depends on an npm package that has high and critical vulnerabilities that cannot be fixed by running the npm audit fix and not sure if that would even work on workers too.

Is there a way to validate the Google Auth ID token with workers? Maybe someone managed to come up with an elegant solution for that?

Perhaps one of these threads and the code within may help you out:

Hey cherryjimbo, thanks for your input. I found those threads before asking for help, however, it does the thing the other way around. These two threads describe creating and signing the token yourself, but what I’m actually looking for is taking the token and parsing its payload together with the verification that it was actually created by Google.

It seems like Browserify can turn the Google auth library for NodeJS into plain JS that could run on CF workers, however, the scripts weights over 2MB and workers have a limit of max 1MB for the script.