2

I'm trying to validate a google jwt I got from the client, but most of the information I can find online is lacking.

For instance, this post on Stack Overflow:

From https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken the recommended approach:

"we recommend that you retrieve Google’s public keys from https://www.googleapis.com/oauth2/v1/certs and perform the validation locally.

Since Google changes its public keys only infrequently (on the order of once per day), you can cache them and, in the vast majority of cases, perform local validation much more efficiently than by using the TokenInfo endpoint. This requires retrieving and parsing certificates, and making the appropriate crypto calls to check the signature. Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this."

It isn't clear to me what I'm supposed to do to validate this jwt. Most of the information I can find about how to verify the signature says to use the x5c key from jwks, but Google's page, found through the discovery doc, excludes that key.

Improve this question
1
  • 1
    Are you trying to validate a JWT signed by Google, a Google OAuth Access Token or a Google OAuth Identity Token? They are different and use different methods. Is your goal to do this in code or by some other method? If by code, what language are you using? Edit your question with more details. Commented Jul 21, 2019 at 7:11

1 Answer 1

Reset to default
1

Validation of JWT is covered in the spec (RFC 7519, section 7.2). One of the steps is validation of a signature, it's covered in JSON Web Signature (JWS) spec (RFC 7515, section 5.2). Specifications are the law but to apply the law you should understand how most applications do it or should do it. That is covered in JWT - Best Current Practices (JWT BCP; draft 06)

You can read all of that and try to implement it on your own or you can use one of the client libraries Google provides for you where all of this is, well, also done for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.