Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Google OAuth JWT signature verification

Tags:

validation

php

jwt

google-oauth

I'm making my own google oauth implementation in PHP project. Everything works fine unless I'm trying to verify JWT received after the access token request (https://accounts.google.com/o/oauth2/token).

For JWT decoding I'm using firebase/php-jwt class.

It decodes perfectly, but if I switch on $verify option (decode() method 3-rd arg) I get : Signature verification failed exception thrown.

My guess is that, if I pass a wrong key to the decode() method. It's used later for hash_hmac() function when signature is generating done.

So my question is: What key exactly should I pass for signature verification to the Google OAuth JWT context?

like image 617
Hast Avatar asked Jul 13 '13 22:07

Hast

People also ask

How do I verify my Google JWT token?

After you receive the ID token by HTTPS POST, you must verify the integrity of the token. To verify that the token is valid, ensure that the following criteria are satisfied: The ID token is properly signed by Google. Use Google's public keys (available in JWK or PEM format) to verify the token's signature.

Can you use OAuth with JWT?

Using JWT with OAuth2 JWT and OAuth2 are entirely different and serve different purposes, but they are compatible and can be used together. The OAuth2 protocol does not specify the format of the tokens, therefore JWTs can be incorporated into the usage of OAuth2.

Is Google access token JWT?

The access token is not a JWT. The id_token is a JWT and you should be able to decode it using jwt.io.

1 Answers

From https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken the recommended approach:

"we recommend that you retrieve Google’s public keys from https://www.googleapis.com/oauth2/v1/certs and perform the validation locally.

Since Google changes its public keys only infrequently (on the order of once per day), you can cache them and, in the vast majority of cases, perform local validation much more efficiently than by using the TokenInfo endpoint. This requires retrieving and parsing certificates, and making the appropriate crypto calls to check the signature. Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this."

like image 171
breno Avatar answered Oct 31 '22 15:10

breno
Sign in to Comment

Related questions

invalid mysql query on insert
PHP $_SESSION is server side or local?
PHP: log stack trace for FATAL errors in production
Is it preferred to assign POST variable to an actual variable?
Zend Framework Automatic Logout after inactivity
PHP library to generate user friendly relative timestamps
Read excel xlsx file using simplexlsx in php
How to log someone trying to make sql injection
Symfony multiple sites
PHP PDF Generator Advice [closed]
Using protocol-relative URIs within "Location:" headers
Can a PDO object be stored in session?
what are entity classes in php [closed]
PHP Trait call inherited function
Adding apache to a user group file upload permission
how to post on google plus pages through api?
How to use composer to install part of a git repository?
Getting SSH output "as it happens" via PHP?
Clarify how to setup a one-to-many relationship in Laravel's Eloquent ORM
Setting environment variable using .htaccess

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!