Validate Google OpenID Connect id_token Signature

Q

How to validate the id_token signature received from Google OpenID Connect authentication response?

✍: FYIcenter.com

A

You can try to validate the "id_token" signature with your own code logic in these steps:

1. Take out the "kid" value from "Header" component of the "id_token". This will be used to identify the public key Google OpenID Connect service used to sign the "id_token". The "kid" value is replacing the "x5t" value. So stop using the "x5t" value.

Header =
Header =
{ "alg": "RS256",
  "kid": "08d3245c62f86b6362afcbbffe1d069826dd1dc1",
  "typ": "JWT"
}

2. Get certificates of all Google public keys from https://www.googleapis.com/oauth2/v1/certs. This URL is included in the metadata document in your application registration.

{
  "b15a2b8f7a6b3f6bc08bc1c56a88410e146d01fd": 
     "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIM7dsQ7..."
  "08d3245c62f86b6362afcbbffe1d069826dd1dc1": 
     "-----BEGIN CERTIFICATE-----\nMIIDJjCCAg6gAwIBAgIIGGqu9B..."
}

3. Find the certificate of the public key that matches the "kid" value from the id_token.

4. Validate the "Signature" component of the "id_token" with this public key certificate.

 

Google OpenID Connect Access Token Request

Validate Google OpenID Connect id_token

Google OpenID Connect Integration

⇑⇑ OpenID Tutorials

2019-02-05, 263👍, 0💬