Validating Google ID tokens in C#

Question

I need to validate a Google ID token passed from a mobile device at my ASP.NET web api.

Google have some sample code here but it relies on a JWT NuGet package which is .Net 4.5 only (I am using C#/.Net 4.0). Is anyone aware of any samples which do this without these packages or has achieved this themselves? The use of the package makes it very difficult to work out what I need to do without it.

Answer 1

According to this github issue, you can now use GoogleJsonWebSignature.ValidateAsync method to validate a Google-signed JWT. Simply pass the idToken string to the method.

var validPayload = await GoogleJsonWebSignature.ValidateAsync(idToken);
Assert.NotNull(validPayload);

If it is not a valid one, it will return null.

Note that to use this method, you need to install Google.Apis.Auth nuget firsthand.

Answer 2

The challenge is validating the JWT certificate in the ID token. There is currently not a library I'm aware of that can do this that doesn't require .Net 4.5 and until there is a solution for JWT validation in .NET 4.0, there will not be an easy solution.

However, if you have an access token, you can look into performing validation using oauth2.tokeninfo. To perform basic validation using token info, you can do something like the following:

// Use Tokeninfo to validate the user and the client.
var tokeninfo_request = new Oauth2Service().Tokeninfo();
tokeninfo_request.Access_token = _authState.AccessToken;
var tokeninfo = tokeninfo_request.Fetch();
if (userid == tokeninfo.User_id
    && tokeninfo.Issued_to == CLIENT_ID)
{
    // Basic validation succeeded
}
else
{
    // The credentials did not match.
}

The information returned from the Google OAuth2 API tells you more information about a particular token such as the client id it was issued too as well as its expiration time.

Note You should not be passing around the access token but instead should be doing this check after exchanging a one-time code to retrieve an access token.