Validate Google OpenID Connect id

Validate Google OpenID Connect id_token

Q

How to validate the id_token value received from Google OpenID Connect authentication response?

✍: FYIcenter.com

A

As you can see from the previous tutorials, you can easily decode the "id_token" value received from Google OpenID Connect authentication response using a simple PHP script.

After decoding, you can get all information about the end user from the body component, and trust it without any validation.

But, since the "id_token" is included in the authentication response delivered over the public Internet, you should not trust it and perform a number validation steps:

1. Data structure validation.

The "id_token" must have 3 components.
Each component must be a Base64URL encoded string.
The decoded "Header" and 'Body" (also called "Payload") components must be JSON strings.

2. Data attributes validation.

The "Header " component must have all required attributes and values. For example, "typ": "JWT", "alg": "...", and "kid": "..." are required.
The "Body" component must have all required attributes and values. For example, "iss" must be "accounts.google.com". "aud": "..." must match the "client_id" value in your authentication request.

3. Timestamp attributes validation. This will prevent someone to repost the authentication response to your server script at a later time.

"iat": "1353601026" specifies the "Issue AT" time. It must be very recent.
"exp": "1353604926" specifies the "EXPiration" time. It must be a future time.

4. "nonce" protection and validation. This will prevent someone to repost the authentication response again immediately.

Generate a new random value for the "nonce" and included in your authentication request and save it into the server cache.
Take the "nonce" value out of the "Body" component of the authentication response and search it in the server cache.
If a match found, the "nonce" is valid and remove it from the server cache.
If no match found, the "nonce" is invalid. Someone is hacking your application, or Google OpenID Connect service is sending a duplicate authentication response.
Remove old "nonce" values from the server cache. Some authentication requests will never result any authentication response, because not all end users are going to complete their Google OpenID Connect sign-on processes.

5. Signature validation. This is to ensure the entire authentication response message has not been modified by someone else. See next tutorial on how to perform "id_token" signature validation.

⇒ Validate Google OpenID Connect id_token Signature

⇐ Decode Google OpenID Connect id_token

⇑ Google OpenID Connect Integration

⇑⇑ OpenID Tutorials

2022-02-04, ∼1798🔥, 0💬

Validate Google OpenID Connect id_token Signature
How to validate the id_token signature received from Google OpenID Connect authentication response? You can try to validate the "id_token" signature with your own code logic in these steps: 1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the publi... 2019-02-05, ∼2038🔥, 0💬

Process Google OpenID Connect Access Token Request
How to the Google OpenID Connect access token Request is process by Google OpenID Connect service? When Google OpenID Connect service receives an access token Request from a Web server, it will: Verify if the "client_id" value in the request is valid. If not, display an error message page to the end... 2019-02-05, ∼1911🔥, 0💬

Access Token Response Received from Google OpenID Connect
How to process the access token response received from Google OpenID Connect service? After Google OpenID Connect service receives an access token request from your Web server script, it will process the request and returns the access token response directly. In order for your Web server script to p... 2019-02-05, ∼1890🔥, 0💬

Google OpenID Connect Access Token Request
What is the Google OpenID Connect Access Token Request? If you want to implement the authentication code flow, also called server flow, to integrate your application with Google OpenID Connect, you need to have a good understanding of the Google OpenID Connect access token request, which is the seco... 2019-02-05, ∼1882🔥, 0💬

Google OpenID Authentication Request Test
How to build a Google OpenID Authentication Request Test page? The Authentication Request is the first call to the Google OpenID Connect service. You can build a simple Web form page to test different behavior of the Authentication Request. Here is an example, Google-OpenID-Authentication-R equest-Te... 2022-04-13, ∼1845🔥, 0💬

Initiate Google OpenID Connect Access Token Request
How to initiate Google OpenID Connect Access Token Request? The Google OpenID Connect Access Token Request should be initiated from your application Web server. This is why the authentication code flow is more secure than the implicit flow, because the "id_token" value will be received by Web server... 2019-02-05, ∼1822🔥, 0💬

Authentication Response Received from Google OpenID Connect
How to process the authentication response received from Google OpenID Connect service after sending an authentication request? After Google OpenID Connect service receives an authentication request from the end user's Web browser, it will process the request and redirect the Web browser to the "red... 2021-03-07, ∼1805🔥, 0💬

Validate Google OpenID Connect id_token
How to validate the id_token value received from Google OpenID Connect authentication response? As you can see from the previous tutorials, you can easily decode the "id_token" value received from Google OpenID Connect authentication response using a simple PHP script. After decoding, you can get al... 2022-02-04, ∼1799🔥, 0💬

Build Implicit Flow with Google OpenID Connect
How to implement the OpenID Implicit Flow with Google OpenID Connect service? If you want to implement the OpenID Implicit Flow in your Web application to use Google OpenID Connect service, you should follow these steps: 1. Building the Google OpenID Connect Sign-on authentication request: Register ... 2022-02-04, ∼1634🔥, 0💬

All rights in the contents of this web site are reserved by the individual author. fyicenter.com does not guarantee the truthfulness, accuracy, or reliability of any contents.