Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google OAuth JWT signature verification

I'm making my own google oauth implementation in PHP project. Everything works fine unless I'm trying to verify JWT received after the access token request (https://accounts.google.com/o/oauth2/token).

For JWT decoding I'm using firebase/php-jwt class.

It decodes perfectly, but if I switch on $verify option (decode() method 3-rd arg) I get : Signature verification failed exception thrown.

My guess is that, if I pass a wrong key to the decode() method. It's used later for hash_hmac() function when signature is generating done.

So my question is: What key exactly should I pass for signature verification to the Google OAuth JWT context?

like image 617
Hast Avatar asked Jul 13 '13 22:07

Hast


People also ask

How do I verify my Google JWT token?

After you receive the ID token by HTTPS POST, you must verify the integrity of the token. To verify that the token is valid, ensure that the following criteria are satisfied: The ID token is properly signed by Google. Use Google's public keys (available in JWK or PEM format) to verify the token's signature.

Can you use OAuth with JWT?

Using JWT with OAuth2 JWT and OAuth2 are entirely different and serve different purposes, but they are compatible and can be used together. The OAuth2 protocol does not specify the format of the tokens, therefore JWTs can be incorporated into the usage of OAuth2.

Is Google access token JWT?

The access token is not a JWT. The id_token is a JWT and you should be able to decode it using jwt.io.


1 Answers

From https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken the recommended approach:

"we recommend that you retrieve Google’s public keys from https://www.googleapis.com/oauth2/v1/certs and perform the validation locally.

Since Google changes its public keys only infrequently (on the order of once per day), you can cache them and, in the vast majority of cases, perform local validation much more efficiently than by using the TokenInfo endpoint. This requires retrieving and parsing certificates, and making the appropriate crypto calls to check the signature. Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this."

like image 171
breno Avatar answered Oct 31 '22 15:10

breno