Google OAuth JWT Signature Verification

Question

Google OAuth JWT Signature Verification

I am making my own google oauth implementation in a PHP project. Everything works fine, unless I check the JWT received after requesting access to the token ( https://accounts.google.com/o/oauth2/token ).

For JWT decoding, I use the firebase / php-jwt class .

It decodes fine, but if I turn on the $verify verify option ( decode() method 3-rd arg), I get: Signature verification failed exception.

I assume that if I pass the wrong key to decode() . It is used later for the hash_hmac() function when a signature is generated.

So my question is: which key should I pass to verify the signature in the context of Google OAuth JWT?

+8

php validation google-oauth jwt

Hast Jul 13 '13 at 22:15

source share

1 answer

breno · Accepted Answer · 2013-07-15T01:20:40+0000

From https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken recommended approach:

"we recommend that you open your Googles public keys from https://www.googleapis.com/oauth2/v1/certs and perform a local verification.

Since Google only rarely changes its public keys (about once a day), you can cache them, and in the vast majority of cases, performing local verification is much more efficient than using the TokenInfo endpoint. This requires the receipt and analysis of certificates and the creation of appropriate cryptocalls to verify the signature. Fortunately, there are well-established libraries for this, available in a wide variety of languages. "

Google OAuth JWT Signature Verification

More articles: