Validate Google id token with C#

Question

I'm currently creating a web application on which the user can login via his Google account. This works client side but I would also like to secure REST API calls. To do so, I send the "Google id token" with each request via the "Authorization" header. Now, I would like to verify in C# that the token passed is valid. I found that there is a .NET library to do so but I didn't find anywhere any clear documentation on how to simply validate the token.

Does anyone have some pointer for this?

Answer 1

My answer is the same as the answer above with a little bit more details.

using Google.Apis.Auth;
using Google.Apis.Auth.OAuth2;

GoogleJsonWebSignature.Payload payload = await GoogleJsonWebSignature.ValidateAsync(Token);
...

The payload object contains all the information that you need.

Answer 2

For future reference the following verifications are checked internally by the Google.Apis.Auth library and no extra validations are required (both passing settings or checking the payload):

• bad jwt (null, empty, too long, missing signature)
• wrong algorithm
• invalid signature
• invalid issuer
• signature time without tolerance

The following however require input by the developer in order to be validated. They can be passed with GoogleJsonWebSignature.ValidationSettings:

• audience
• hosted domain
• signature time with tolerance

Source: Google.Apis.Auth.Tests/GoogleJsonWebSignatureTests.cs

According to the docs, the token must be validated by verifying the signature with Google's public key. Also check the aus, iss and exp claims, and the hd claim if applies. Therefore only the aus (and hd) have to be tested explicitly by the developer.

try
{
   //...
   var validationSettings = new GoogleJsonWebSignature.ValidationSettings
   {
      Audience = new string[] { "[google-signin-client_id].apps.googleusercontent.com" }
   };

   var payload = await GoogleJsonWebSignature.ValidateAsync(idToken, validationSettings);
   //...
}
catch (InvalidJwtException ex)
{
   //...
}