Can I use jwcrypto to validate a Google generated OAuth2 id_token?

StackOverflow https://stackoverflow.com/questions/16347907

Question

Building on the work in this question: What is the proper way to validate google granted OAuth tokens in a node.js server?

Can I use the jwcrypto library to validate a Google OAuth2 token in a node.js server? I have the 857 byte token given by Google, which validates using Google's web endpoint at https://www.googleapis.com/oauth2/v1/tokeninfo?id_token=. In theory I can use the token plus the Google's certs available here They look like this:

{
859c1234d08e008cc261ff11de5f8da1b8c4d490: "-----BEGIN CERTIFICATE----- <stuff> -----END CERTIFICATE----- ",
ad2a50cb70c5da789ee26d05b8f621a99e81202e: "-----BEGIN CERTIFICATE----- <stuff> -----END CERTIFICATE----- "
}

So far I've been unable to even load the keys into jwcrypto using the loadPublicKey method. Presumably once I get this working I can call the verify method. Are there any working examples of this online?

Was it helpful?

Solution

I've just added a new npm modules that decodes and validates Google's id_token. You can find the code here: https://github.com/gmelika/google-id-token

Usage is fairly straightforward:

var googleIdToken = require('google-id-token');
var parser = new googleIdToken({ getKeys: getGoogleCerts });
parser.decode(sampleGoogleIDToken, function(err, token) {
    if(err) {
        console.log("error while parsing the google token: " + err);
    } else {
        console.log("parsed id_token is:\n" + JSON.stringify(token));
    }
});

the getGoogleCerts function referenced above is a user supplied function that would return the appropriate Google certificate based on the supplied key. A very basic example of this is:

var request = require('request');
function getGoogleCerts(kid, callback) {
    request({uri: 'https://www.googleapis.com/oauth2/v1/certs'}, function(err, response, body){
        if(err && response.statusCode !== 200) {
            err = err || "error while retrieving the google certs";
            console.log(err);
            callback(err, {})
        } else {
            var keys = JSON.parse(body);
            callback(null, keys[kid]);
        }
    });
}

Obviously you would want to add caching in there. Feel free to use your favorite caching mechanism to do that.

Hope that helps.

OTHER TIPS

Not likely to work, we haven't tested this use case and our public key formats in jwcrypto are custom right now, waiting for JWK to be fully standardized.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top