Google OAuth JWT signature verification

Question

I'm making my own google oauth implementation in PHP project. Everything works fine unless I'm trying to verify JWT received after the access token request (https://accounts.google.com/o/oauth2/token).

For JWT decoding I'm using firebase/php-jwt class.

It decodes perfectly, but if I switch on $verify option (decode() method 3-rd arg) I get : Signature verification failed exception thrown.

My guess is that, if I pass a wrong key to the decode() method. It's used later for hash_hmac() function when signature is generating done.

So my question is: What key exactly should I pass for signature verification to the Google OAuth JWT context?

Answer 1

From https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken the recommended approach:

"we recommend that you retrieve Google’s public keys from https://www.googleapis.com/oauth2/v1/certs and perform the validation locally.

Since Google changes its public keys only infrequently (on the order of once per day), you can cache them and, in the vast majority of cases, perform local validation much more efficiently than by using the TokenInfo endpoint. This requires retrieving and parsing certificates, and making the appropriate crypto calls to check the signature. Fortunately, there are well-debugged libraries available in a wide variety of languages to accomplish this."