Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Google OpenID Connect: How to verify id_token?

I create Backend server, which gets the ID Token from mobile application (iOS). How can I verify that this token is OK and can be used it securely?

Official Google's documentation about validating token:

https://developers.google.com/identity/protocols/OpenIDConnect#validatinganidtoken

It recommends to verify the ID Token locally, without sending verification request to the Google. Is it OK to check some fields from ID Token locally like in documentation or maybe should I send some request to Google to verify token as well?

Google documentation mentions about debugging and verifying ID Token with:

https://www.googleapis.com/oauth2/v3/tokeninfo?id_token=XYZ123

But it doesn't recommend to use it in production. I thought also about using Access Token along with the Id Token and verify Access Token first with:

https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=

But does it make the whole process of validating client's credentials (mobile app, web app) more secure?

like image 943
nicq Avatar asked Jan 04 '17 10:01

nicq


People also ask

How do I verify my Google Auth Token?

After you receive the ID token by HTTPS POST, you must verify the integrity of the token. To verify that the token is valid, ensure that the following criteria are satisfied: The ID token is properly signed by Google. Use Google's public keys (available in JWK or PEM format) to verify the token's signature.

What is Id_token Google OAuth?

The id_token is used in OpenID Connect protocol, where the user is authenticated as well as authorized. (There's an important distinction between authentication and authorization.) You will get id_token and access_token. The id_token value contains the information about the user's authentication.


1 Answers

Fist let me start by saying I don't work for Google. However I have been developing with Google Oauth2 since 2012. A while back I asked a Googler just this question.

His recommendation was if you have a refresh token just request a new access token. If its bad the server will return an error. If you have an access token send a request if its bad the server will return an error.

There isn't really much point in validating it first your just sending two requests to the server for every request you make. All you will be doing is preventing errors on a small percentage of the requests you are making in the long run.

I have never bothered with the id token. Id token is a jwt so you should be able to open it I think.

update

You should consult Verifiy the integrity of the id token.

You can also do some checking on your own. The id token is a jwt if you decrypt it you get or by calling the tokeninfo endpoint

{
  "iss": "https://accounts.google.com",
  "azp": "407408718192.apps.googleusercontent.com",
  "aud": "407408718192.apps.googleusercontent.com",
  "sub": "11720055326",
  "at_hash": "HQVaIRLqmsjaTt8KoOIQ",
  "name": "Linda Lawton",
  "picture": "https://lh3.googleusercontent.com/a-/AAuE7mDuIWqXzrrp-65cIhXSD2HjCI8WYsWHR0fDx5_wQPY=s96-c",
  "given_name": "Linda",
  "family_name": "Lawton",
  "locale": "en",
  "iat": 1567751,
  "exp": 1567755
}
  • iss should be https://accounts.google.com
  • aud will be the client id of your app 7408718192.apps.googleusercontent.com
  • at_hash there may also be some way to validate against this but i haven't bothered
like image 133
DaImTo Avatar answered Oct 18 '22 16:10

DaImTo