Validate Google OpenID Connect id_token Signature


How to validate the id_token signature received from Google OpenID Connect authentication response?



You can try to validate the "id_token" signature with your own code logic in these steps:

1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Google OpenID Connect service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.

Header =
Header =
{ "alg": "RS256",
  "kid": "08d3245c62f86b6362afcbbffe1d069826dd1dc1",
  "typ": "JWT"

2. Get certificates of all Google public keys from This URL is included in the metadata document in your application registration.

     "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIM7dsQ7..."

3. Find the certificate of the public key that matches the "kid" value from the id_token.

4. Validate the "Signature" component of the "id_token" with this public key certificate.


Google OpenID Connect Access Token Request

Validate Google OpenID Connect id_token

Google OpenID Connect Integration

⇑⇑ OpenID Tutorials

2019-02-05, 1418🔥, 0💬