I'm making my own google oauth implementation in PHP project. Everything works fine unless I'm trying to verify JWT
received after the access token request (https://accounts.google.com/o/oauth2/token).
For JWT decoding I'm using firebase/php-jwt class.
It decodes perfectly, but if I switch on $verify
option (decode()
method 3-rd arg) I get : Signature verification failed
exception thrown.
My guess is that, if I pass a wrong key to the decode()
method. It's used later for hash_hmac()
function when signature is generating done.
So my question is: What key exactly should I pass for signature verification to the Google OAuth JWT context?
After you receive the ID token by HTTPS POST, you must verify the integrity of the token. To verify that the token is valid, ensure that the following criteria are satisfied: The ID token is properly signed by Google. Use Google's public keys (available in JWK or PEM format) to verify the token's signature.
Using JWT with OAuth2 JWT and OAuth2 are entirely different and serve different purposes, but they are compatible and can be used together. The OAuth2 protocol does not specify the format of the tokens, therefore JWTs can be incorporated into the usage of OAuth2.
The access token is not a JWT. The id_token is a JWT and you should be able to decode it using jwt.io.
From https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken the recommended approach:
"we recommend that you retrieve Google’s public keys from https://www.googleapis.com/oauth2/v1/certs and perform the validation locally.
Since Google changes its public keys only infrequently (on the order of once per day), you can cache them and, in the vast majority of cases, perform local validation much more efficiently than by using the TokenInfo endpoint. This requires retrieving and parsing certificates, and making the appropriate crypto calls to check the signature. Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this."
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With